Monday, July 27, 2009


If you're at all interested in steganography, including not only the technology but also available tools, you should check out this paper from a couple of folks at GMU (from 1998). This led me back to the JJTC site, where you can find more publications and tools. Gary Kessler also has an Overview of Steganography for the Computer Forensics Examiner, which is another good read and definitely helps in understanding the strengths and limitations of the technology. From talking to LE, for the most part steganography is considered when there are indications of such a tool being used; indications can come from artifacts such as Prefetch files, MUICache Registry key entries, contents of emails, or just the existence of a known stego tool on the system.

Working on some of my timeline analysis stuff recently, I went looking for some tools to handle certain file types (or for information on formats so I can write my own), and ran across JAFAT again. I say "again" because I took a look at the INFO2 file parser a bit ago, and I see not only the cookie file parser, but also the Safari tools on the Archive of Forensic Tools page. There's a package available for the tools to run on Windows, if you need it.

Speaking of working on stuff, now and again I get questions about how to determine the edition of Windows from an image (NOT version...edition); ie, Windows XP Home vs. Professional. I've addressed this here in this blog, but after spending some time recently looking for another solution, I thought I'd ask you all...the OSVERSIONINFOEX structure contains a field called SuiteMask; does anyone have any information on how this might be populated so that it can be replicated during post-mortem analysis? I already know how to populate most of the other fields and determine what version of Windows (and Service Pack) is installed, but the one field I haven't been able to find any information about is the SuiteMask. While this appears to be used quite often on live systems to perform checks during installation procedures, I'm having a great deal of difficulty determining where this information might be found within an acquired image.

Addendum: This page from Geoff Chappell pretty much covers what I found with respect to populating the SuiteMask field. Specifically for XP, in order to determine MediaCenter and TabletPC editions, check for the System\WPA\name Registry key (name = MediaCenter or TabletPC) with an Installed value equal to 1.

The Illustrious Don Weber is back to blogging again, this time about AV and Linux...good stuff, as always!

If you've got a copy of Windows Forensic Analysis 2/e, go to chapter 9 and add this link to open-source forensic tools to the last page. Thanks, Claus, for the heads-up on this one...

Jamie Butler's added a new post to Mandiant's M-unition blog, this one about finding a keylogger through the use of the XPath filters in Memoryze. This is definitely worth checking out, as it allows a user to extend the tool's capabilities through scripting, just as you can do with Volatility and RegRipper.


jaymcjay said...

It's not quite as accurate, but the computer forensics task force work with uses the boot.ini file, as it specifies the version of Windows it'll boot. Yes, it could be changed, but so could the registry values you're mentioning.

H. Carvey said...

How about the prodspec.ini file?