Monday, February 14, 2011

Links, Tools and Stuff

PDF Stream Dumper
From over at RE Corner comes the PDF Stream Dumper tool; actually, this one has been out for some time now.  This tool was written in VB6, and comes with a number of automation scripts.  Swing on by Lenny's blog for some create examples of how to use it, or check out this KernelMode page for some other examples of the dumper being used.

If you're not too put off by CLI tools, you might consider using this in conjunction with Didier's PDF tools.  Didier's stuff is also in use by VirusTotal.  That's not to say that one's better to use than the's good to have both available.

While we're on the subject of document metadata, it's a good idea to mention Kristinn Gudjonsson, creator of log2timeline, also created the Perl script for extracting metadata from MS Word 2007 documents (use and output described at the SANS Forensic Blog).

There's an interesting article up on TechRadar about how to perform a forensic PC investigation, and it references using OSForensics, available from PassMark Software.  I have to say, I'm a bit concerned about articles like this, even when they suggest early in the article that performing the actions described in the article can be "a little morally dubious".

The beta of OSForensics was recently made available for a limited time, for free.  However, that offer was originally made as "LE only", but seems to have changed recently.

It looks like the folks at PassMark Software removed the LE-only restriction for downloading the OSForensics beta, so I downloaded the 32-bit version to my XP system this morning.

After installing OSForensics and looking around (noticed the nice icons and graphics), I created a new case, and then began looking for a way to load a test image into the tool.  I didn't have much luck, so I went immediately to the Help, which is provided online, in HTML format.  I went through the index and found the word "Image", and from there found this:

In many cases it may be desirable to work with data from a disk image rather than the physical disk itself. Whilst OSForensics does not deal with disk images directly itself Passmark provides a set of free external tools in order to support working with disk images.

So, it appears that OSForensics is not intended for dead-box/post-mortem analysis.  Some of the available tools, such as System Information and Memory Viewer, pertain to the system on which OSForensics is running.  PassMark does offer the OSMount program, which allows you to mount a raw/dd image as a drive letter, and from there you can use OSForensics in the intended fashion.  As such, I'd guess that there'd be no issues using any of the various other mounting techniques and tools, including accessing VSCs.

Of all of the functionality, the one that really jumps out is the hash set comparison tools.  PassMark provides a number of hash sets for known-good OS files at their download site; however, as with any similar functionality based on hash sets, I can easily see how this can become cumbersome very quickly.  You either scan for all of the hashes, or you run into issues with analysts deciding which hash sets to run, and (more importantly) documenting those that they do run.

OSForensics also provides string and file name search functionality, logging of activity, and the ability to install OSForensics to a USB drive.  I'm sure that this tool will be useful to examiners; for my own uses, however, it simply does not provide enough of the core functionality that I tend to use during my examinations. As a test, I mounted a test image as a read-only F:\ drive and opened OSForensics, and I have to say, moving through the interface wasn't the most intuitive, or easy to use.  However, I may be somewhat biased, given my experience and usual work processes.
No Alternative
Eric's got a rather insightful post over at the AFoD blog.  More and more folks are getting into the cell phone and smart phone market, and those little buggers are really very powerful when you take a look at them.  They also tend to contain more and more storage space.  Of course, we need to keep in mind that the tablet market is still there in that space between the smart phone and the laptop, as well.

I can see where Eric's going with the post, but I have to say from the private/corporate perspective, this isn't such a huge issue.  I would expect that if it ever does become and issue, it'll be an emergency (for legal/compliance purposes) and one-off, not something that gets done on a regular basis, with the cost of applications and training being amortized across multiple customers.  However, from a public perspective, I can definitely see how this is going to be more and more of an issue...after all, how "gangsta" can you really be lugging around a Dell Latitude laptop?

There are some great new resources over at the e-Evidence site, including stuff about MacOSX artifacts, iPhone and smart devices, Windows artifacts, etc.  This site is always a great place to go and find lots of new and interesting stuff.

Network and Wireless
A question popped up on a list this morning regarding wireless assessments and tools.  The original question asked about an alternative to NetStumbler, that supported a specific NIC, and the first response was for ViStumbler.  ViStumbler is open-source and was originally written to be supported by Vista, but apparently runs on Windows 7, as well.

If you're doing any network forensics, you might also consider NetworkMiner as a viable resource, and something to add to your toolkit right alongside Wireshark.

Tool Sites
ForensicCtrl had a listing of free computer forensics tools available.
List of Windows open source tools
Check out the Collaborative RCE Tools library for a wide range of tools.


Corey Harrell said...

Another wireless assessment tool is Ekahau Heatmapper (there’s a free version as well as commercial versions). The tool locates access points, their Wi-Fi coverage, and plots them both on a map. One of the main reasons I use the tool is to locate the physical locations of access points. Heatmapper doesn’t rely on GPS so it’s useful for inside of buildings when GPS isn’t an option. However similar to Netstumbler, Heatmapper is unable to reveal hidden SSIDs even though it can still map the physical location of the device. So if you need to know the SSID or more information about an identified access point (such as clients connected) then another tool such as Kismet can be used along with Heatmapper.

I thought about writing a quick post on performing an assessment with the tool but I don’t have a location to survey. My house isn’t an option since it would be tough walking through the couple feet of snow surrounding my house.

Thanks for sharing your testing results with the OSforensics tool. I find it helpful when people share their perspective on new tools – new to me- since it helps me see some of the functionality the tool has to offer.

Anonymous said... is also worth a look as an alternative Windows wifi scanner

JohnC said...

The people behind OSForensics (PassMark Software) seem to also offer an alternative to NetStumbler known as WirelessMon with some interesting mapping functionality.

Webpage here:

Anonymous said...

I have just spent a couple of days playing with OSForensics and other than the very nice (or is it childdish) graphics I dont see myuch going for it. I didnt like having to use extra tools to acquire an image and then incorporate it into OSForensics ... but FYK Imager is a relaible tool, of course. Anyhow, having a set of virtual images/disks on the hos tto then search, etc, was not as intuative as having all the finctionality and artifacts within single case and envirnment. I will carry one using for several mroe days to give it a a fair chance ... but so far the lack of imaging capabilities gets in the way of a logical process .. for me. I did use OSMount successfully but USBClonew wouldnt work for me at a command line level .. despite using the correct command.

PassMark Software said...

Thanks for taking a look at our OSForensics software.

@Anonymous, if you have any trouble with getting OSFClone to work, please contact us, and we'll help you out. You can find links to our Forums and our email addresses on our website.

We also have a new beta out since Harlan's original review. Feel free to check it out, we're keen to hear what people think.

PassMark Software said...

Thanks for taking a look at our OSForensics software.

@Anonymous, if you have any trouble with getting OSFClone to work, please contact us, and we'll help you out. You can find links to our Forums and our email addresses on our website.

We also have a new beta out since Harlan's original review. Feel free to check it out, we're keen to hear what people think.

Stefan said...

Thanks, Harlan, for pointing to PDFStreamDumper of which I wasn't aware of. This tool is really, really useful.