Saturday, December 1, 2007

User Assist Data in the RAM Dump

Lately some good information has been posted on the web regarding the importance of the USER ASSIST.

Especially by Didier Stevens ( and Harlan Carvey (

Recently and completely by coincidence I found some USER ASSIST Remnants in the RAM Dumps I was analyzing. The information was obfuscated by ROT-13 but I found quite a bit of useful information. For more ROT-13 Fun (and a Microsoft Easter Egg) check out the shdoclc.dll from your system32 folder.

I used the good old dfrws2005-physical-memory1.dmp for this demonstration but all the RAM Dumps ( Vista , XPSP2, XPSP1 and WinServer2003) I reviewed appear to have similarities.

I started with a simple search of HRZR_EHACNGU (which is “UEME_RUNPATH”).

It returned 35 hits. The following is a partial sample of the search hits:


HRZR_EHACNGU:P:\Cebtenz Svyrf\CbjreCnary\Cebtenz\CpsZte.rkre

HRZR_EHACNGU:P:\Cebtenz Svyrf\FBAL\Fbal Abgrobbx Frghc\FAFrghc.rkrv




HRZR_EHACNGU:P:\Cebtenz Svyrf\Fhccbeg.pbz\Pyvrag\ova\gtpzq.rkr

HRZR_EHACNGU:P:\Cebtenz Svyrf\Fbal\Wbt Qvny Hgvyvgl\WbtFrei2.rkr



Decrypted using ROT13 (


UEME_RUNPATH:C:\Program Files\PowerPanel\Program\PcfMgr.exer

UEME_RUNPATH:C:\Program Files\SONY\Sony Notebook Setup\SNSetup.exei




UEME_RUNPATH:C:\Program Files\\Client\bin\tgcmd.exe

UEME_RUNPATH:C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe



Another search of .yax (“.lnk”) is also proves to be useful

HRZR_EHACVQY:%pfvqy2%\Fbal Abgrobbx Frghc\Fbal Abgrobbx Frghc.yax

HRZR_EHACVQY:P:\Qbphzragf naq Frggvatf\Nyy Hfref\Fgneg Zrah\I N V B\INVB Fhccbeg Ntrag.yax

HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Flfgrz Gbbyf\Punenpgre Znc.yax

HRZR_EHACVQY:%pfvqy2%\Argfpncr Pbzzhavpngbe\Hgvyvgvrf\Thrfg.yax


UEME_RUNPIDL:%csidl2%\Sony Notebook Setup\Sony Notebook Setup.lnk

UEME_RUNPIDL:C:\Documents and Settings\All Users\Start Menu\V A I O\VAIO Support Agent.lnk

UEME_RUNPIDL:%csidl2%\Accessories\System Tools\Character Map.lnk

UEME_RUNPIDL:%csidl2%\Netscape Communicator\Utilities\Guest.lnk

You get the idea!

Now the follow-up is to try and find the same date/time stamps or counter information that is in the USER ASSIST Keys

Thursday, November 22, 2007

RAM Enscript

What will this ENSCRIPT find in a RAM Dump File?

1. Running and Exited Process Information
2. Operations System Information
3. USER ASSIST Remnants

See Output: OS Version Processes User Assist


When I originally started I wanted to be able to search a RAM Dump file and find some of the important stuff like the EPROCESS Headers. I then wanted the OS information from the dump files I also wanted to use just one tool.

So this Enscript was redesigned from the guts of the Encase Example “File Finder Enscript”. Basically I took out most of what I didn’t need and added some complex magic numbers and specific decoding for the hits. Please see the CAUTIONS prior to copying and using this Enscript.

I could not have made this Enscript with out the prior work and help of Andreas Schuster and Harlan Carvey.

To affectively run the Enscript follow these steps:

1. Run Enscript and check box the “OS Version“ with the Bookmark Folder Name of ”OS Version”.
2. To find the Processes - Check the OS Version found in step #1 and re-run the Enscript choosing the correct OS(For Example “Vista Processes” to Find Vista Processes) and put in “Processes” Bookmark Folder
3. For USER Assist Remnants run the Enscript a third time checking “User Assist” to the User Assist Bookmark
4. Review your findings. Use the REPORT view for the “Best Look”.

You can check more then one item and the Enscript still runs properly but all of your information will be bookmarked into the same folder

Friday, November 2, 2007

RAM Enscript Download

Download RAM Enscript (SourceForge)



1. Enscript is in BETA and still evolving!
2. VISTA Process Search String might not collect all processes (still researching to find out what is missed. An estimate of how many are found- probably 90-95% Solution AS IS.)

Known Bug

1. Microsoft Windows XP 2003 Edition is SP1 (Version 5.2600) reports as XPSP2 so check your findings

Caution- Caution-Caution-Caution-

Be Careful Not to Overwrite Your Default Enscripts --- the Best Plan is to Copy Your Enscripts Prior to Using the Ram Analysis Enscript and to run this Enscript form another location (like CD-ROM Drive )

This Script Does Not Play Well with Other Enscripts Because I have Modified Some of the Common Files………………You Are Warned……….

Friday, October 26, 2007


During a recent cell phone exam, I encountered an interesting dilemma. When the phone was powered on it required a SIM PIN. Making things worse there was no indication who the carrier was, and the owner of the phone was unwilling to provide the code or any information. The investigator needed information from the phone as quickly as possible.

OK- so the SIM card was locked, not the phone. Some phones, including the one in question, stored a considerable amount of the information within the phone’s memory not just the SIM Card. So I decided to put another SIM Card into the phone and I powered up and had access to the handset’s data.

However, there is a catch. When you acquire the data from the phone you need to use a blank SIM (No stored data). (Note: You should be able to find a good SIM Card from your test handsets-MORE). In this case, I used a SIM from a Nextel that was a replacement (new) phone with the SIM not having been encoded. With the unlocked SIM, there’s nothing to stop you from acquiring the data within the phone.

The above screenshots shows how I used a phone which was originally a T-Mobile phone, and an empty Nextel SIM card. Notice that Nextel comes up on the main screen as function of the SIM. However, the phonebook and call histories were contained within the phone’s memory.

I also noticed the phone’s identity with it’s carrier is determined by the SIM. You might get lucky and find a phone entry for voice mail, which is often the number of the phone itself. One other possibility is an entry in the phonebook which is labeled “My Number.” Regardless, this is a simple way of bypassing the SIM lock to get at the information you need.

Submitted by Richard McKee

PTFinderFE Output

PTFinderFE Facts

Who Created PTFinder ?
Andreas Schuster

Who Created the OS Detection Script ?
Harlan Carvey

What does PTFinder Do ?
PTFinder searches a memory dump of a system running Microsoft Windows for traces of processes and threads. Some functional checks are also applied. (According to Andreas Schuster)
Andreas Schuster

What Memory Dumps are Supported ?
DD dumps for example dd bs=4096 if=\\.\Device\Physicalmemory of=dumpfile
By pausing a VMWARE Session and using the VMSS File
In-Vivo using Sysinternal's LiveKD and a debugger
Post-Mortem as described in Microsoft Knowledge Base Article no.244139

What Operating Systems Memory Dumps are Supported ?
Windows 2000, Windows XP SP1, Windows XP SP2 and Windows 2003

Why do I need other Programs to make PTFinder to Work ?
PTFinder is written in Perl Script– so you need a Perl complier.
PTFinder creates a DOT file which can be used to create a graphic of the output.
See the DETAILED INSTRUCTIONS for more information.

Where can I get a Good Test Dump File?

Why did you Created PTFinderFE?
Well...I was placing the dump file into the PTFinder.PL Path which could have been eliminated by typing in the directory location of the dump file for every dump file I wanted examine( c:\case 05-022\Live Acq\234566-1). A DOT File was created which you have to copy into the Grapvhiz Executable folder, type in the command line and then copy all your outputs to my forensic directory. On top of all that if you used the "Program Files" Directory the command lines needed quotes(""). Since I use PTFinder a lot I had to make it more user friendly for me.

What is PTFinderFE?
A Microsoft Visual Basic Program that creates a batch file to do your leg work between PTFinder, Graphviz and your working forensic folder.

Why is PTFinder so Important?
Live Acquisition is the current trend in computer forensics. A lot of forensic investigators are doing live acquisitions but had nothing to effectively examine the output. Thanks to Andreas Schuster we have one more tool in the toolbox.
Back to Top

Tuesday, October 23, 2007

Cell Phone Terms and Dictionary


Acquisition – A process by which digital evidence is duplicated, copied, or imaged. (NIST)

Analysis – The examination of acquired data for its significance and probative value to the case. (NIST)

Authentication Mechanism – Hardware or software-based mechanisms that force users to prove their identity before accessing data on a device. (NIST)

Bluetooth – A wireless protocol that allows two Bluetooth enabled devices to communicate with each other within a short distance (e.g., 30 ft.). (NIST)

B.L.U.F. – Bottom Line Up Front (Q)

Chain of Custody – A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer. (NIST)

Code Division Multiple Access (CDMA) – A spread spectrum technology for cellular networks based on the Interim Standard-95 (IS-95) from the Telecommunications Industry Association (TIA). (NIST)

Compressed File – A file reduced in size through the application of a compression algorithm, commonly performed to save disk space. The act of compressing a file will make it unreadable to most programs until the file is uncompressed. Most common compression utilities are PKZIP and WinZip with an extension of .zip. (NIST)

Cradle – A docking station, which creates an interface between a user’s PC and PDA, and enables communication and battery recharging. (NIST)

Cyclical Redundancy Check – A method to ensure data has not been altered after being sent through a communication channel. (NIST)

Deleted File – A file that has been logically, but not necessarily physically, erased from the operating system, perhaps to eliminate potentially incriminating evidence. Deleting files does not always necessarily eliminate the possibility of recovering all or part of the original data. (NIST)

Digital Evidence – Electronic information stored or transmitted in binary form. (NIST)

Duplicate Digital Evidence – A duplicate is an accurate digital reproduction of all data objects contained on the original physical item and associated media (e.g., flash memory, RAM, ROM). (NIST)

Enhanced Data for GSM Evolution (EDGE) – An upgrade to GPRS to provide higher data rates by joining multiple time slots. (NIST)

Enhanced Messaging Service (EMS) – An improved message system for GSM mobile phones allowing picture, sound, animation and text elements to be conveyed through one or more concatenated SMS messages. (NIST)

Electromagnetic Interference – An electromagnetic disturbance that interrupts, obstructs, or otherwise degrades or limits the effective performance of electronics/electrical equipment. (NIST)

Electronic Serial Number (ESN) – A unique 32-bit number programmed into CDMA phones when they are manufactured. (NIST)

Electronic Evidence – Information and data of investigative value that is stored on or transmitted by an electronic device. (NIST)

Encryption – Any procedure used in cryptography to convert plain text into cipher text to prevent anyone but the intended recipient from reading that data. (NIST)

Examination – A technical review that makes the evidence visible and suitable for analysis; tests performed on the evidence to determine the presence or absence of specific data. (NIST)

Federal Communications Commission Identification Number (FCC ID Number)

File Name Anomaly – A mismatch between the internal file header and it external extension; a file name inconsistent with the content of the file (e.g., renaming a graphics file with a non-graphics extension). (NIST)

File System – A software mechanism that defines the way that files are named, stored, organized, and accessed on logical volumes of partitioned memory. (NIST)

Flash ROM – non-volatile memory that is writable. (NIST)

Forensic Copy – An accurate bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm. (NIST)

Forensic Specialist – Locates, identifies, collects, analyzes and examines data while preserving the integrity and maintaining a strict chain of custody of information discovered. (NIST)

Forbidden PLMNs – A list of Public Land Mobile Networks (PLMNs) maintained on the SIM that the phone cannot automatically contact, usually because service was declined by a foreign provider. (NIST)

Global Positioning System – A system for determining position by comparing radio signals from several satellites. (NIST)

Global System for Mobile Communications (GSM) – A set of standards for second generation, cellular networks currently maintained by the 3rd Generation Partnership Project (3GPP). (NIST)

General Packet Radio Service (GPRS) – A packet switching enhancement to GSM and TDMA wireless networks to increase data transmission speeds. 71 Guidelines on Cell Phone Forensics (NIST)

Hardware Driver – Applications responsible for establishing communication between hardware and software programs. (NIST)

Hashing – The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data. (NIST)

HyperText Transfer Protocol (HTTP) – A standard method for communication between clients and Web servers. (NIST)

IDEN - Intergrated Digital Enhanced Network

Integrated Digital Enhanced Network (iDEN) – A proprietary mobile communications technology developed by Motorola that combine the capabilities of a digital cellular telephone with two-way radio. (NIST)

Integrated Circuit Card ID (ICCID) – The unique serial number assigned to, maintained within, and usually imprinted on the (U)SIM. (NIST)

Image – An exact bit-stream copy of all electronic data on a device, performed in a manner that ensures the information is not altered. (NIST)

Instant Messaging (IM) – A facility for exchanging messages in real-time with other people over the Internet and tracking the progress of the conversation. (NIST)

International Mobile Equipment Identity (IMEI) – A unique identification number programmed into GSM and UMTS mobile phones. (NIST)

International Mobile Subscriber Identity (IMSI) – A unique number associated with every GSM mobile phone subscriber, which is maintained on a (U)SIM. (NIST)

Internet Message Access Protocol (IMAP) – A method of communication used to read electronic messages stored in a remote server. (NIST)

Location Information (LOCI) – The Location Area Identifier (LAI) of the phone’s current location, continuously maintained on the SIM when the phone is active and saved whenever the phone is turned off. (NIST)

Mobile Subscriber Integrated Services Digital Network (MSISDN) – The international telephone number assigned to a cellular subscriber. (NIST)

Multimedia Messaging Service (MMS) – An accepted standard for messaging that lets users send and receive messages formatted with text, graphics, photographs, audio, and video clips. (NIST)

Password Protected – The ability to protect a file using a password access control, protecting the data contents from being viewed with the appropriate viewer unless the proper password is entered. Guidelines on Cell Phone Forensics (NIST)

Personal Digital Assistant (PDA) – A handheld computer that serves as a tool for reading and conveying documents, electronic mail, and other electronic media over a communications link, and for organizing personal information, such as a name-and-address database, a to-do list, and an appointment calendar. (NIST)

Personal Information Management (PIM) Applications – A core set of applications that provide the electronic equivalents of such items as an agenda, address book, notepad, and reminder list. (NIST)

Personal Information Management (PIM) Data – The set of data types such as contacts, calendar entries, phonebook entries, notes, memos, and reminders maintained on a device, which may be synchronized with a personal computer. (NIST)

Personal Identification Number - is a secret shared between a user and a system that can be used to authenticate the user to the system. PINs are often 4-digit numbers in the range 0000-9999 (WIKI)

Personal Unlocking Code (PUC) If the wrong PIN is typed in more than three times, either the SIM Card orthe device or both become permanently locked. They can be reverted to their original unlocked state, however, by entering a PUC, but if the wrong PUC is entered ten times in a row, the device will become permanently blocked and unrecoverable, requiring a new SIM card. (WIKI)

Post Office Protocol (POP) – A standard protocol used to receive electronic mail from a server. (NIST)

Short Message Service (SMS) – a cellular network facility that allows users to send and receive text messages of up to 160 alphanumeric characters on their handset. (NIST)

Simple Mail Transfer Protocol (SMTP) – The primary protocol used to transfer electronic mail messages on the Internet. (NIST)

SMS (Short Message Service) Chat – A facility for exchanging messages in real-time using SMS text messaging that allows previously exchanged messages to be viewed. (NIST)

Subscriber Identity Module (SIM) – A smart card chip specialized for use in GSM equipment. (NIST)

Synchronization Protocols – Protocols that allow users to view, modify, and transfer/update data between a cell phone and personal computer. (NIST)

Universal Mobile Telecommunications System (UMTS) – A third-generation (3G) mobile phone technology standardized by the 3GPP as the successor to GSM. (NIST)

Universal Serial Bus (USB) – A hardware interface for low-speed peripherals such as the keyboard, mouse, joystick, scanner, printer, and telephony devices.

USIM (UMTS Subscriber Identity Module) – A module similar to the SIM in GSM/GPRS networks, but with additional capabilities suited to 3G networks. (NIST)

Volatile Memory – Memory that loses its content when power is turned off or lost. (NIST)

Wireless Application Protocol (WAP) – A standard that defines the way in which Internet communications and other advanced services are provided on wireless mobile devices. (NIST)

Wireless Fidelity (WiFi) – A term describing a wireless local area network that observes the IEEE 802.11 protocol. (NIST)

Write-Blocker – A device that allows investigators to examine media while preventing data writes from occurring on the subject media. (NIST)

Write Protection – Hardware or software methods of preventing data from being written to a disk or other medium. (NIST)

Extensible HyperText Markup Language (XHTML) – A unifying standard that brings the benefits of XML to those of HTML. (NIST)

Extensible Markup Language (XML) – A flexible text format designed to describe data for electronic publishing. (NIST)

Monday, October 1, 2007

“Carving” out pictures from a Handset (FTK)

UPDATE 01/03/2007

If you have Encase you want to follow this link - Carving” out pictures from a Handset (Encase) for the following two reasons.

1. FTK (Versions 1.61a and 1.62.1) do not seem to be adding sub-case items correctly
2. Encase, after you set up and run the correct search parameters, will automatically bookmark the “carved images”.

End of Update---------------------------------------------------------

The first thing I want to clarify is the definition of “Carve” in this page. So you, or another investigator, manually review a handset using it’s internal operating system and determine the picture you need is no longer on the handset. Sometimes images might not be accessible to the user but there might be images still residing in the logical memory of the handset.

I know what you are thinking: Open up a Case in FTK and automatically CARVE for images in the phone files. In my experience this answer is half right. I have not had much luck with FTK’S internal carving feature with logical phone files (This is not a rip on FTK it is just my experience. FTK is one of my favorite programs).

First you have to obtain a dump of the handset’s content.

If you used BITPIM ( then you are ready to start ENCASE

If you used PARABEN DEVICE SEIZURE then use Paraben's Report Feature. And choose to create a HTML Report and include all items from the case. Paraben's report will save the files needed for the HTML Report in a folder called .Html Files. Take all the files in Html Files folder and add them to a ZIP file. For consistency we will also call this new ZIP Folder Goto ENCASE

Start a New Case in FTK

Go to the graphics Tab and take a hex view of your images. Choose the images that look like they were taken by a camera. Get the header of your images. In our example the header is FF D8 FF E0.

Open the Search Tab>Live Search and do a hex search using FF D8 FF E0. In results you should see the image file you could see using the handset (a nice test to make sure your search syntax was correct).

Look at your other search hits. Do you see some possible targets? I'm the following example I have an image header in MMS>62 File:


Put your cursor over the image’s original file name and copy it to the clipboard. In our example it would be “Photo_#58.jpg”

Now put your cursor before the first character of your header and Right-click and Hold>Scroll to the bottom of the file and release. This could take some time if the image files are large. Once your header, and rest of the file is highlighted, Right-click on any of highlighted part and a menu should come up allowing you to "Save selection ..."“Add Sub Item”. Choose “Add a Sub Item” and paste the name you copied to the clipboard in the name (If you didn’t skip that step!). Look at your new sub-items in graphics view saved images. You’ve just “carved” an image from you handset files.

See also- Carving” out pictures from a Handset (Encase)

Wednesday, September 26, 2007


Carrier: Verizon
I was unable to make a download the contents of the handset using the following products ENCASE, BITPIM, PARABEN or DD so I made backup copy of the internal contents in the most forensically sound manner possible using VERIZON WIRELESS SOFTWARE INSTALLATION DISC (A/N 185-10134-01).
I installed PALM DESKTOP SOFTWARE and used HOTSYNC to make back-up files of the TREO 360 file system. I then extracted and converted the recovered information in the following ways:
1. CALENDER: I used PALM DESKTOP to export the entire calendar to a Datebook Archive (dba) file named “datebook archive.dba”. I then used an empty calendar at YAHOO.COM to import “datebook archive.dba” and exported the contents to a file called “calender.csv”.
2. CONTACTS and TASKS: I used the SEND to > MS Excel in the PALM DESKTOP.
3. MEMOS: I used the SEND TO > MS WORD in the PALM DESKTOP.
4. CALLS: I took a copy of the file from “\XXXXXXXX\Backup\PhoneCallDB.PDB created during the “XXXXXXXX” HOTSYNC and converted it with a program called “CH”. (Download here – The program converted the input into a MICROSOFT EXCEL SPREADSHEET. The program “CH”, and the source code is included in the “Working Directory” in the forensic archive.
5. PHOTOS, IMAGES sand VIDEOS: Images were transferred from the handset during HOTSYNC and placed into the “XXXXXXXX” Folder. Using a hex editor on the file “Saved_prefrences.PRC “ I discovered the Phone Number of owner
The following is addition information regarding the forensic examination:
Computer connection using Cable 180-10017-00 REV B 0516 with HOT SYNC Button.
• The HOTSYNC automatically created the user file name of “XXXXXXXX” for the contents of the seized item.
• Consol Mode was achieved using the following key inputs:
 Option Button and Shift–find Button
 Input “s” and push ALT Button
 Scroll to bottom and choose “ dotted looped l”
 Enter “.”
 Enter 1
“Carving” out pictures from a Handset (ENCASE V5)

The first thing I want to clarify is the definition of “Carve” in this page. So you, or another investigator, manually review a handset using its internal operating system and determine the picture you need is no longer on the handset. Sometimes images might not be accessible to the user but there might be images still residing in the logical memory of the handset.
I know what you are thinking: Open up a Case in Encase and automatically CARVE for images in the phone files. In my experience this answer is half right. (We need to create a special search in Encase to be sure we can find all the images.)
Here’s my suggestion:

1. First you have to obtain a dump of the handset’s content.
If you used BITPIM ( then you are ready to start ENCASE
If you used PARABEN DEVICE SEIZURE then use Paraben's Report Feature. And choose to create a HTML Report and include all items from the case. Paraben's report will save the files needed for the HTML Report in a folder called .Html Files. Take all the files in Html Files folder and add them to a ZIP file. For consistency we will also call this new ZIP Folder

2. Start a New Case in ENCASE.
Maneuver you way down to the Home>Entries and right click on Entries>Activate Single File
Right Click on Single Files>New (which opens up a common dialog box for you to find your Root.Zip file)
Open up Enscripts and choose File Mounter>File by Extension>Zip files. Your single file is activated and the Root.Zip folder mounted. You can now walk through the file structure.
Different handsets use slightly different headers in their images. Sometime images are imbedded in files with long headers (containing valuable EXIF Data) but are overlooked by Forensic Programs that just look for predetermined headers and offsets.

3. Find a stored image. Choose one that looks like it was taken by the handset's camera.
Look at that image in hex and get the header information. Double check you header with a couple other images that appear to be taken with a camera. In our example the header is FF D8 FF E0 for image photo_004.jpg

4. Now open ENSCRIPTS again and Choose "Sweep Case".
a. Check the box for your case>Next
b. Find the Modules List and Check the box for "File Finder"
c. Double left click on File Finder. A File Finder Menu opens up and you might as well check all the options (BMP, JPG PNG, ...).But also click on the bar "Add Custom File Type" and add the following:
d. Description: Carved Image
e. Header: \xFF\xD8\xFF\xE0 (For our example- but use whatever you found in the header of your images)
f. Footer: Empty
g. Extension: .jpg
h. Check the following Boxes: "Bookmark as picture" and "GREP"
i. OK>OK>Finish
j. Open your BOOKMARKED folder and see how many new images you have found that you could not get find using the handset. You have now "Carved" some images from the handset.

Don't forget to SAVE ALL so you don't have to re-write the "Add Custom File Type" each time you only have to update the Header Hex Information.