Monday, May 21, 2007

Creating "Dummy" files of a specific size for testing purposes

I was doing some testing on the NTFS file system and was watching how files are moved in and out of the MFT when they are small enough to it inside the MFT and be resident. I found myself creating a text file and then trying to get it to certain size to do my testing. I then found it easier to make an EnCase EnScript to create these "dummy" files for my testing. I then figured I might use the utility outside of EnCase so I then wrote a utility in Perl and compiled it to run in Windows.

Basically the program will create a "dummy" file with the name you specify, with the size you specify. The syntax is:




Download Here

Sunday, May 20, 2007

How to connect to a remote computer with EnCase Enterprise that is behind a firewall

A few years ago, I was asked if there was a way to use EnCase Enterprise to connect to a remote machine that may be located behind a firewall. The scenario I was given was what if an Investigator wanted to connect to a computer located inside a Internet Cafe to collect information during an investigation, but didn't want to solicit the help from the Internet Cafe owner/employee? I came up with a simple way to accomplish this with no regard to the legal ramifications since that was not part of the problem presented to me and should be considered by the person performing this.

There are some equipment prerequisites that you need to accomplish this:
1. EnCase Enterprise/FIM
2. A public accessible SSH server

In addition, this solution requires that someone (an additional investigator) enter the Internet Cafe and have physical access to the computer you wish to preview or collect information from. Administrative access is not required and there is no need to install anything or reboot.

The scenario would be something like an investigator doing surveillance on someone who uses an Internet Cafe and then when that person leaves, an investigator would enter and pretend to use the computer that the suspect just used. The investigator would use a floppy disk or flash drive to start the necessary applications and config and then a remote investigator could connect to the computer in the Internet Cafe using EnCase Enterprise and collect information (image, preview, etc.).

The following PDF details how to accomplish this:

Download Here
.

*Note: This solution was originally written several years ago for EnCase v4 and works in all subsequent versions, but in EnCase v6 there is an easier way to accomplish this with no need to use 3rd party software (SSH), but administrative access is required to the machine you wish to preview.

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles