Tuesday, August 18, 2009

Tools and Links

From DFRWS2009 (papers here) and Andreas's tweets I found out about NFI Defraser, a utility that reportedly detects full or partial multimedia files in data streams, such as unallocated space within an acquired image. Defraser downloads as an MSI file, so it appears to be Windows-based. John posted some great info on Defraser to the SANS Forensic blog.

Also from Andreas's tweets I found out about Snorkel from NFILabs. Snorkel is a Java-based library that provides access to acquired images. While an evaluation version is available for testing, the implications of something like this are incredible! Imagine being able to completely script (ie, automate) an entire pre-processing examination of an acquired image, where much of what is now done manually would be a matter of inputting a job and waiting.

Internet Evidence Finder from JADSoftware has been updated to version 2. IEF v2.0 runs searches for a variety of Internet artifacts, such as Facebook, Yahoo and Google chats, Limewire search histories, etc. If this is something you're looking for, particularly with regards to inappropriate usage or data leakage issues (hey, USB devices aren't the only way to get data off of a system), then this is a tool you'll want in your kit.

Also be sure to check out Jad's Encrypted Disk Detector tool. EDD is a CLI tool that checks local physical drives for PGP, TrueCrypt and BitLocker encrypted volumes. If you're doing live response and need to know this sort of information before shutting a system down and acquiring an image, then you really need to include a tool like this in your kit.

If you're interested in Vista's Volume Shadow Copies, check out this post from the Forensics from the Sausage Factory blog. Most folks seem to love 'war stories' and 'case studies', so this is something you might want to take a look at.

Speaking of analysis, Chad's post on the SANS Forensic blog about demystifying the use of defrag on a Vista system is very well-written and interesting. This follows Chad's other post that takes a look at the same subject, but from an XP perspective. Posts such as these are extremely important, IMHO, as they look at attempting to determine intentional use of the disk defragmenter utility, given the fact that the system itself runs a limited defrag on a regular basis. I think that too many times, analysts fall into the trap of thinking that if a Prefetch file exists on an XP system, that indicates that the user run utility...end of story. However, per Microsoft (from the section on Prefetch):

Then it launches the system defragmenter with a command-line option that tells the defragmenter to defragment based on the contents of the file instead of performing a full defrag.

On a side note, one of the tools I recently posted to the Win4n6 Yahoo group as part of the timeline creation toolkit (ie, pref.pl) does a great job of parsing information/metadata from both XP and Vista Prefetch files.

The folks over at the SANS Internet Storm Center posted a compilation of tools for extracting files from pcaps. Very cool. I talked about NetworkMiner in WFA 2/e, and it's one of my favorites.

1 comment:

johnmccash said...

There's some more info about defraser that I posted on the SANS Forensic Blog back in May. It's at https://blogs.sans.org/computer-forensics/2009/05/13/automated-recovery-of-multimedia-from-unallocated-space/
John