Sunday, May 17, 2009

Links and Stuff

After traveling last week, I thought I'd throw up some updates and interesting things I've run across...

JL's got a good blog post on sources of info, including podcasts, listservs, etc. I hadn't heard of the Exotic Liability podcast before, I'll have to check that one out...checking out the web page, it looks pretty cool, especially the post about controlling web cams. JL also provides her blogroll, etc...anyone have anything to add to any of the lists she's provided?

Matt's got some new goings-on over at F-Response with the release of the F-Response EMC version 3.09.1 (Don talks it up, as well), and has posted about F-Response working with something called the Revealer Toolkit. If anyone's seen or used this before, would you care to post a review?

Links for file system stuff:
WikiPedia Common Filesystem Features
MS TechNet NTFS Time Stamps

What else? Oh, yeah...put in a little work on merging the code from two separate Prefetch (XP and Vista) file parsing scripts into one unified script, updating the code that is currently on the DVD that ships with my book. The updates to the code are based, in part, on my desire to not have a ton of code just lying around, as well as information from this blog post. I haven't actually looked at the EnScripts that are available, as the code I'm working on is intended to work on a live system, Prefetch files extracted from an acquired image, and Prefetch files accessible via a mounted (SmartMount, ImDisk, etc.) image or via F-Response. The script parses items such as the volume information block from the .pf file, getting things such as the volume serial number. Here's an example of the output of the script run against a Prefetch file on my local system:

C:\Perl>pref.pl -f c:\Windows\prefetch\MRT.EXE-1B4A8D49.pf -i
c:\Windows\prefetch\MRT.EXE-1B4A8D49.pf Fri May 15 00:37:33 2009 (1)

Volume Path : \DEVICE\HARDDISKVOLUME1
Volume Creation Date: Mon Aug 7 16:05:41 2006 Z
Volume Serial Number: 8456-B799

Since the file is from my local system, I can verify the volume serial number:

C:\Perl>vol
Volume in drive C has no label.
Volume Serial Number is 8456-B799

Pretty sweet. Analysis of the Prefetch files can lead to some interesting information, particularly when using the entire capability of the script to output such things as the embedded file paths. Prefetch files are perhaps most often tied to the named application being run on the system, the last time that application was run, and how many times it has been run. Keep in mind, though...Prefetch files by themselves do not tie the launch of the application to a user.

Speaking of Windows Forensic Analysis 2/e, one of the marketing folks at my publisher has said that copies of the book will be drop-shipped from the printer to TechnoSecurity in Myrtle Beach, SC. Unfortunately, I just found that out, and there's no way for me to get to the conference...but I'm hoping that we'll have copies of the book available at the SANS Forensic Summit in July.

Other Resources
ForensicWiki page on Visualization Software

2 comments:

Unknown said...

hi. Regarding the Revealer Toolkit you mentioned in this post, it is not something related with F-Response.

Actually is an independent open source project whose main objective is to manage and automate technical forensic actions on several forensic images and cases. It would be useful to organizations and companies that perform a lot of computer forensic analysis, or on cases with a large number of sources to investigate.

It uses sleuthkit and other forensic tools from a framework point of view. It's compatible with F-Response, and that's what Matt Shannon points out on his blog.

Last SVN revision is quite stable, but i'm going to release version 0.2 in a couple of weeks with documentation and examples.

Thanks for your interest!

H. Carvey said...

Jose,

Thanks.

...it is not something related with F-Response.Yes, I'm aware of that, and never said that it was.

I'm looking forward to seeing version 0.2. Thanks.