Tuesday, October 03, 2006

FSP/FRU File Copy Client posted

I posted the File Copy Client (FCli) that was mentioned in Windows Forensics and Incident Recovery. After getting enough questions about it, I thought that it was about time that I uploaded it to the SourceForge site.

The FCli is a GUI client that the investigator can use to select files to be copied from the 'victim' system, over to the FSP server. Here's how you use it (I am going to create webinar/movie files for this stuff for the book)...download the archive from the SF site, and keep all of the files (EXE and associated DLLs) together in the same directory. For initial testing, you may want to have them separate from other tools and files. Launch FCli, and choose File -> Config...enter the IP address and port of the FSP server. Then choose File -> Open and use the dialog to select the files that you want to copy (web server log files, etc.). Once you've selected the files that you want, click OK to close the dialog and the file names will be added to the FCli ListView (you can go back and open the File -> Open dialog again, if you wish).

Once you have selected the files you want to copy, click "OK" in the main FCli window. The status bar on the bottom of the window will show you your progress...it may go fairly quickly. Once all the files are copied over, simply close the window.

What FCli does is first collect metadata about the file...size, MAC times, and MD5/SHA-1 hashes. This data is sent to the FSP server and archived. The file itself is then copied over to the server, at which point the server verifies the hashes. Here's an extract from the case log file:

Mon Oct 2 21:26:14 2006;DATA command received: bho2.dat
Mon Oct 2 21:26:14 2006;HASH bho2.dat:885f60ff031496a3fe37aa15454c6a46:bf402abbbe76e417105d18ad9193436315dd7343
Mon Oct 2 21:26:14 2006;FILE command received: bho2.pl
Mon Oct 2 21:26:14 2006;bho2.pl created and opened.
Mon Oct 2 21:26:14 2006;bho2.pl closed. Size 1522
Mon Oct 2 21:26:14 2006;MD5 hashes confirmed for bho2.pl.
Mon Oct 2 21:26:14 2006;SHA-1 hashes confirmed for bho2.pl.

First, the metadata is sent to the server and saved in a file with the .dat extension (next version needs to change this, in case of a conflict with a file with a .dat extension), and the hashes are pulled out of the file and logged. Then the file is copied over and the size of the file on the server, after it's been written, is logged (you can verify this later with the size recorded in the metadata). Then the file hashes are computed for the file that is now on the server, and confirmed against the metadata.

The archive you want from the SF site is fcli_20061003.zip. This archive contains the executable file and all supporting DLLs, as well as the Perl source code for the FCli.

Thanks, and enjoy!

Addendum: It seems that WinRAR-compressed files don't always play well with other compression utilities, so I updated the archive and uploaded it...look for fcli_20061003a.zip

2 comments:

Anonymous said...

I tried to download the file (fcli_20061003.zip) from SF and it is not a valid ZIP file. Tried this on Windows and Linux and same result so it is not just a corrupt local downloaded copy.

Just thought you would like to know so you can get this fixed.

H. Carvey said...

Ed,

I've opened it repeatedly, from different machines, using WinRAR, which I used to create the archive. I did have some trouble with QuickZIP...I'll go back and update the archive.

Harlan