Tuesday, August 23, 2011

Reconnoitre

I've had the opportunity recently, thanks to Paul Sanderson (of Sanderson Forensics) to take a look at his Reconnoitre tool for accessing files within Volume Shadow Copies (VSCs).  I'm not sure how many folks have a need to do this, but VSCs have been part of Windows systems since Vista, and can provide a wealth of forensically-valuable data.  I've posted in this blog regarding accessing VSCs, and I think that the more we address this topic and how accessing the VSCs can prove to be very valuable, the more analysts will pick it up as a technique that they incorporate into their analysis whenever possible.

I should also point out that the current versions of ProDiscover (with the exception of the Basic Edition) also allow you to access VSCs within an image, even if your analysis system is Windows XP.  Check out the TechPathways Resource Center for more info.

Installing Reconnoitre was straightforward...I installed it onto a Windows XP SP3 system, and it was up and running right away.  I then connected an external USB drive on which I have a logical image of a Windows 7 system, and added the image file to the case I created, and then sat back and watched the tool process the information.

That's right...I was accessing VSCs within a Windows 7 image, from a Windows XP system.

Paul shared the following with respect to Reconnoitre:

"1.  For those investigators who are used to working directly on an image it will be a more familiar experience, obviously this could be seen as  both good and bad.
2.  It allows you to view files in a vsc alongside the current live file and see at a glance how many variants there are, a sort of overview.
3.  It allows you to easily view the MFT entry and see where the changes are.


I think the last is possibly the most useful. I have an example image where I have changed a jpg once and there are 3 entries in shadows. One is obviously the original image, a second is also the original image but only the MFT entry has been changed (the addition of an Objid stream). The final example I have not yet got to the bottom of but I think it may be possibly due to the file being moved, defrag? The allocation for the file is different, as are some other bytes in the MFT. Changes to the MFT entry for the parent folder may also be relevant."

All of these capabilities can be extremely valuable to the analyst.  One of the things I really like about this tool is that it's a tool for analysts, written by an analyst...so the functionality of the tool is derived from the author's needs, developed from performing the same sorts of investigations that we all have encountered, and will continue to see.

Be sure to visit Paul's site and check out both his commercial products and free utilities.

Note: For the skeptical folks out there, let it be known that I receive NO benefit from this posting, other than the much-appreciated opportunity to see a new tool in action.  I gain nothing...monetarily or otherwise...from taking a look at this tool.

2 comments:

Jimmy_Weg said...

I'm quite a fan of Paul's tools as well as the technical support he's lent to me over the years. I didn't see Reconnoitre on his site, so perhaps it's about to be released (or I missed something).

A quick approach to examining changes is to study the Previous Versions aspect of the Volume Shadow Service in a VM, simply by right-clicking on a file of interest. Then, you can see at a glance which, if any, versions are available. You wouldn't get to the MFT record this way, but could with a little more work.

Sanderson Forensics said...

Thanks for the kind words Jimmy.

A bit busy developing over here and had not made the web page live before Harlan posted his blog.

You are correct Reconnoitre is still in development but you can get more information here:

http://www.sandersonforensics.com/ReconnoitreVSC.html

Cheers
Paul