Monday, July 21, 2008

BRAP Forensics

Sometimes I have to marvel at the little pearls (as opposed to Perl!!) I find through sites like eEvidence...Christina's diligence in ensuring that there is always new information added to the site really makes it worthwhile to stop by at least once a month and see what's new.

One of the items I really enjoyed was Hal Berghel's article on BRAP Forensics. In this article, Hal talks about some of the nice little bits of debris or (in his words) "guano" left behind by browsers and applications, as well as OLE file (MS Word) metadata and Recycle Bin/INFO2 file analysis. Hal also mentions Registry analysis, particularly of the NTUSER.DAT file. For the most part, Hal refers to these tidbits in negative terms but for forensic analysts working on an examination, these tidbits can be priceless. I've used many of these techniques...sometimes in combination...to extract some extremely useful information from an examination.

Resources
Mandiant's WebHistorian

1 comment:

Jamie Levy said...

Kind of along these lines, I found a perl script that parses the history.dat files of firefox: mork.pl, written by Jamie Zawinski.

I modified it to print out the date instead of the timestamp, which you can find here.

You can see an output of the DFRWS 2008 challenge using this here.

-Jamie