tag:blogger.com,1999:blog-62970756825986475252012-01-19T06:49:15.974-08:00A site for “Computer Crime” Investigators Where we can share our tips, tricks and mistakes…ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.comBlogger311100tag:blogger.com,1999:blog-6297075682598647525.post-82595891510440606462011-01-25T16:12:00.000-08:002011-02-01T14:56:29.191-08:00

These are tools to find SMS Messages from physical (carve) or logical files, recovered from an iPhone (DOWNLOAD). This tool is really meant to find unallocated SMS Messages in a Raw disk recovery of the user disk partition as extracted by tools (http://oreilly.com/catalog/9780596153595)like the one created by Johnathon Zdziarski. (http://www.zdziarski.com/blog/?page_id=503).If you obtain a

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com7tag:blogger.com,1999:blog-6297075682598647525.post-55018272308503909102010-10-17T11:48:00.000-07:002010-10-18T09:01:26.604-07:00

I updated my Basic Memory Analysis Enscripts (Version 6) and rolled them out at the 2010 WACCI Conference. The newest addition is an Enscript to carve for Windows 7 Processes (Exited and Running).Important ---If you downloaded the new Enscripts prior to 10/17/2010 please update your download to Version 2.1 - I made some changes to the Win7 (Beta) Enscript.The magic number I am using is part of

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-57663285493767485372010-09-01T08:18:00.000-07:002010-09-01T14:48:27.512-07:00

I know if your reading my blog you've seen ROT13 and know it is used by Microsoft in the UserAssist Registry Key.But now I’ve found Microsoft using ROT(-29) or Rotate Minus 29 which is considerably more devious, then ROT13, for the forensic investigator. Do the following steps to uncover ROT(-29):1. First find a computer running Windows 7 or Vista.2. Open Notepad and type: “

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-43646014230064420582009-10-16T16:20:00.000-07:002009-10-20T08:57:57.948-07:00

*********** The First 5 Steps are exactly the same as my last posted regarding Walk-Through: Volatility Batch File Maker and Volatility's ProcDump. The Walk-through Portion is repeated here for future discussions. Skip if applicable.******************1. Download the following files from Hogfly (Website)exemplar6.tar.gz.001exemplar6.tar.gz.002exemplar6.tar.gz.003In my example I placed the

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-66500373624489761862009-10-16T15:25:00.000-07:002009-10-17T16:11:26.733-07:00

1. Download the following files from Hogfly (Website)exemplar6.tar.gz.001exemplar6.tar.gz.002exemplar6.tar.gz.003In my example I placed the files in e:\exemlar6\ directory2. Add the downloaded files together and extract with the following cmd prompt code: Copy /b “exemplar6.tar.gz.001”+ “exemplar6.tar.gz.002”+” exemplar6.tar.gz.003” exemplar6.tar.gz3. Extract using WinRAR (exemplar6.tar.gz

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-46393788435503177962009-10-16T08:55:00.000-07:002009-10-16T15:40:29.921-07:00

The Tool: VolatilityBatch File Maker DownloadI wanted to take the text output of the various tools (Ptfinder, PtFinderFE and Volatility >PsScan2) which identifies all the offsets for (running) processes and input that offset data into several Volatility tools (ProcDump, MemDmp and VadDump). This program creates three batch files. After running the batch files I can quickly leverage

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-65859345714915986392009-04-16T13:31:00.000-07:002009-04-16T13:44:20.768-07:00

I had the following a question from Mr Anonymous about Matthieu Suiche's Sandman Shell Project:“...the same happens with hibrshell. When I execute the command it crashes while "Retrieving Kernel Image base". I tried with 3 different hiberfil.sys files so I guess it's not the file. The bad thing is that I also tried with different pcs and it crashed too, this means that I have no idea of what it

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com2tag:blogger.com,1999:blog-6297075682598647525.post-18556463754881665912009-02-21T14:42:00.000-08:002009-02-21T15:55:34.617-08:00

Identify Multiple Windows OS Versions in a Single RAM Capture if the Host Machine is Running VMWare Machines.I often run VMWare Machines, on my host machine,so I can easily grab the machine's RAM contents by suspending the machine and analyzing the VMEM file. Nothing new there. But what is cool is when you run several VMWare machines (or just one) and grab the RAM of the host machine. If you

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com2tag:blogger.com,1999:blog-6297075682598647525.post-49355386022001568182009-01-28T18:05:00.000-08:002009-01-29T16:24:49.448-08:00

Using Volatility (1.3_Beta), Volatility Plugin from Moyix, a test RAM Image (xp-laptop-2005-06-25.img) and a Windows Hash/Password Finder (SamInside or Cain and Abel) identify the passwords for the following users: Sarah, phoenix and the Administrator. 1. Run hivescan to get hive offsetscommand: python volatility hivescan -f "C:\Dump\xp-laptop-2005-06-25.img"Offset (hex)

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com18tag:blogger.com,1999:blog-6297075682598647525.post-82126133325116947892008-06-05T21:29:00.001-07:002008-12-09T06:26:34.410-08:00

Today when I downloaded the latest version of Encase (6.11.0.43) I discovered winen.exe in the Encase Program Folder. Apparently winen.exe is the new RAM Acquisition Tool Provided by Guidance. Winen.exe is suppose to work on all variations of Windows higher then 2000.A search of Guidance Support Portal and I was able to down Winen.pdf. (Guidance Forum Access Required - 3 pages).The Winen

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com1tag:blogger.com,1999:blog-6297075682598647525.post-55774352609749964892008-05-19T21:44:00.000-07:002008-12-09T06:26:34.490-08:00

I am presenting a two-day course on RAM Acquisition and RAM Analysis at Digital Intelligence. The course is June 10-12, 2008 and is FREE. The following is a quick synopsis of the training:RAM Analysis – Vista and BeyondEverything run on a computer passes through the RAM at one time or another. The trick is being able to identify data found in a RAM capture and relate it back to the item that

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-47854223230922050232008-05-03T16:54:00.000-07:002008-12-09T06:26:34.638-08:00

A colleague of mine approached me after teaching a class on finding information in RAM. He asked me to prove a particular RAM acquisition came form a particular machine. My first thought was to run to the remnants from the registry. But do to paging of the registry and many false positives this proved a little more difficult then I originally thought... But as you guessed by the title I then

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-16875463677090715822008-05-02T21:44:00.000-07:002008-05-03T16:48:05.861-07:00

RAM ENSCRIPT UPDATED!!! DownloadThe new RAM Enscript contains:OS IdentificationProcesses (Exited / Running)Registry Remnants (UserAssist)MSHTML Remnants MFT Parser. Runs against RAM Dumps from Windows 2000 to Vista.Many Thanks to the First RAM Analysis Advance Class at IACIS- Thanks for the Hard Work.

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-72888581784407002692008-03-15T21:32:00.000-07:002008-12-09T06:26:48.549-08:00

I want to show a practical of my “15 Minute Virus Analysis” You must download the RADA Virus if you want to “play” along. The RADA Virus is a REAL VIRUS SO BE CAREFUL… The RADA VIRUS was created several years ago to test other geeks participating in the HONEYNET Project. Also download one of the best solutions to the RADA Challenge (But don’t read the solution, yet…). Make three folders in

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-88536047076432934922008-02-29T17:03:00.000-08:002008-03-15T13:16:08.855-07:00

Tools:1. VMWARE Workstation or VMWARE Server (Sever=free)2. Windows 2000 (Small$)3. TextScan - Free (by AnalogX)http://www.analogx.com/contents/download/program/textscan.htm4. PtfinderFE - Free (PTFINDER by Andreas Schuster and Front-End by Richard McQuown)5. LSPM (SourceForge)- Free (by Harlan Carvey)Steps:1. Create a VMWARE Windows 2000 Machine. Keep the RAM 256 MB or less (Saves

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-83085350388461956522008-02-22T07:50:00.000-08:002008-02-22T08:35:50.812-08:00

Seems like a team of Princeton students have put together a very well done website, research paper (pdf) and video regarding acquiring RAM. The jist of these items shows: Information stays in RAM after power loss and then degrades, cooling DRAM Chips will help prevent the decay of volatile memory and keys to Full Disk Encryption can be obtained by capturing RAM.The online community has

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com1tag:blogger.com,1999:blog-6297075682598647525.post-84089986668028015382008-01-27T20:43:00.000-08:002008-12-09T06:26:50.147-08:00

Well to sum up XPSP3 (for RAM Analysis) I’d say the prognosis is great. The key offsets that I look for in the EPROCESS (Page Directory Base, Create Time Low, Create Time High, Exit Time Low, Exit Time High, PID, Image File Name) appear to be the same as XPSP2. The Kernel Program (NTOSKRNL.exe) I use to gauge the OS Version of the RAM is also similar to previous versions. I tried to use Windbg

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com2tag:blogger.com,1999:blog-6297075682598647525.post-46791763821597452782008-01-23T22:45:00.000-08:002008-12-09T06:26:50.165-08:00

I am presenting a two-day course on RAM Acquisition and RAM Analysis at the International Association of Computer Investigative Specialists (IACIS) 2008 CFCE Course between April 28, 2008 through May 9, 2008 in Orlando, Florida.My sponsor is Digital Intelligence.The following is a quick synopsis of the training:RAM Analysis – Vista and BeyondEverything run on a computer passes through the RAM at

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-33845596876745651852008-01-22T21:36:00.000-08:002008-12-09T06:26:50.361-08:00

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-70174485452999973862008-01-22T21:34:00.000-08:002008-01-22T21:35:39.111-08:00

Conditions: • Machine is On but Not Logged In. • Machine is On / Logged On / Not Running Encryption. (Bitlocker, Best Crypt…). (If running encryption make logical image immediately.) • You Have Physical Access to the Machine. • You Know What a Hard Drive Molex Cable Looks Like… (Easiest

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-1844483961499029592008-01-22T21:26:00.000-08:002008-12-09T06:26:50.621-08:00

Scenario#1 You come up to a desktop computer that you have legal authority to forensically analyze. The computer is powered up but sitting at the Windows Login Screen. No chance to get an image of the RAM so you pull the plug from the back of the machine and retreat to the lab. At the lab you discover that the hard drive has been encrypted with BITLOCKER. What could

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com8tag:blogger.com,1999:blog-6297075682598647525.post-67583944098724158972007-12-01T21:46:00.000-08:002008-01-22T21:49:07.197-08:00

Lately some good information has been posted on the web regarding the importance of the USER ASSIST. Especially by Didier Stevens (http://blog.didierstevens.com/programs/userassist/) and Harlan Carvey (http://windowsir.blogspot.com/) Recently and completely by coincidence I found some USER ASSIST Remnants in the RAM

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-87960049601299193982007-11-22T22:50:00.000-08:002008-12-09T06:26:50.869-08:00

What will this ENSCRIPT find in a RAM Dump File?1. Running and Exited Process Information2. Operations System Information3. USER ASSIST RemnantsSee Output: OS Version Processes User AssistBACKGROUND:When I originally started I wanted to be able to search a RAM Dump file and find some of the important stuff like the EPROCESS Headers. I then wanted the OS

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-292592913341959162007-11-02T22:29:00.000-07:002008-02-29T20:05:45.045-08:00

Download RAM Enscript (SourceForge)Concerns---Bugs---CautionConcerns 1. Enscript is in BETA and still evolving! 2. VISTA Process Search String might not collect all processes (still researching to find out what is missed. An estimate of how many are found- probably 90-95% Solution AS IS.)Known Bug 1. Microsoft Windows XP 2003 Edition is SP1 (Version 5.2600) reports as XPSP2 so check your

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com2tag:blogger.com,1999:blog-6297075682598647525.post-87031102771015383102007-10-26T20:32:00.000-07:002008-12-09T06:26:51.291-08:00

During a recent cell phone exam, I encountered an interesting dilemma. When the phone was powered on it required a SIM PIN. Making things worse there was no indication who the carrier was, and the owner of the phone was unwilling to provide the code or any information. The investigator needed information from the phone as quickly as possible.OK- so the SIM card was locked, not the phone. Some

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-80606256280064145342007-10-26T19:43:00.000-07:002008-12-09T06:26:52.562-08:00

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-13576128492830533622007-10-26T19:35:00.000-07:002008-01-26T19:38:28.413-08:00

Who Created PTFinder ? Andreas Schuster http://computer.forensikblog.de/en/2006/ Who Created the OS Detection Script ? Harlan Carvey http://windowsir.blogspot.com/ What does PTFinder Do ? PTFinder searches a memory dump of a system running Microsoft Windows for traces of processes and threads. Some functional checks are also applied. (According to Andreas Schuster)

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-70885346084323754192007-10-23T22:48:00.000-07:002008-01-23T22:53:45.923-08:00

TERMS-DEFINITIONS-ACRONYMSAcquisition – A process by which digital evidence is duplicated, copied, or imaged. (NIST)Analysis – The examination of acquired data for its significance and probative value to the case. (NIST)Authentication Mechanism – Hardware or software-based mechanisms that force users to prove their identity before accessing data on a device. (NIST)Bluetooth – A wireless protocol

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com1tag:blogger.com,1999:blog-6297075682598647525.post-28098973401987857892007-10-01T22:49:00.000-07:002008-01-23T22:52:21.284-08:00

“Carving” out pictures from a Handset (FTK) UPDATE 01/03/2007If you have Encase you want to follow this link - Carving” out pictures from a Handset (Encase) for the following two reasons. 1. FTK (Versions 1.61a and 1.62.1) do not seem to be adding sub-case items correctly 2. Encase, after you set up and run the correct search parameters, will automatically bookmark the “carved images”.End of

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-63247440273068713822007-09-26T20:30:00.000-07:002008-01-26T20:31:03.404-08:00

Carrier: Verizon I was unable to make a download the contents of the handset using the following products ENCASE, BITPIM, PARABEN or DD so I made backup copy of the internal contents in the most forensically sound manner possible using VERIZON WIRELESS SOFTWARE INSTALLATION DISC (A/N 185-10134-01). I installed PALM DESKTOP SOFTWARE and used HOTSYNC to make back-up files of the TREO 360 file

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-8769161979663918822007-09-26T20:08:00.000-07:002008-12-09T06:26:54.093-08:00

“Carving” out pictures from a Handset (ENCASE V5)The first thing I want to clarify is the definition of “Carve” in this page. So you, or another investigator, manually review a handset using its internal operating system and determine the picture you need is no longer on the handset. Sometimes images might not be accessible to the user but there might be images still residing in the logical

ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0