Tuesday, July 31, 2007

EnScript to obtain the MAC address of a non-running machine

A recent post asking how to obtain the MAC address of a non-running machine prompted me to write a quick EnScript to pull the data from the end of Link (LNK) files. The EnScript is nothing fancy, it simply recurses through all .LNK files and grabs the MAC address at the end of the .LNK file and prints it to the console.

Download Here

Monday, July 23, 2007

Decoding encoded IIS logs

When doing intrusion investigations, I have run across IIS web logs that have encoded entries that were the product of a SQL injection attack. Many times the attacker will encode the web request that is sent to the webserver and then subsequently to the SQL server by using ASCII values for the characters or HEX values. There are several reasons for doing this and there are several automated tools that an attacker can use that will automatically encode the string he/she wishes to send.

For example, imagine the attacker wants to send the HTTP GET request of :
"id=999999 or select * from cctable"

You obviously cannot send spaces in a URL, so it would be rewritten as:
"id=999999%20or%20select%20*%20from cctable"

Special characters are also usually never explicitly represented so they too can be replaced by a ASCII representation or HEX value such as:
"id=999999%20or%20select%20char(42)%20from cctable"

This type of encoding makes reading and understanding what type of SQL commands the attacker is sending, very difficult. So I wrote an EnScript that does a simple search and replace for seveal types of encoding in order to make it easier to understand what the attacker was doing. This can also help in keyword searching in case the word you were searching for was encoded it obviously would not be found in its encoded form.

The following is an example of a real encoded IIS weblog entry:
pageid=830%20And%20(Select%20Top%201%20char(124)%2Bname%2Bchar(124)%20From%20(Select%20Top%201%20[name]%20From%20[syscolumns]%20where%20(id%20=%20(SELECT%20TOP%201%20id%20FROM%20[sysobjects]%20WHERE%20name%20=%20char(112)%2Bchar(97)%2Bchar(103)%2Bchar(101)%2Bchar(99)%2Bchar(111)%2Bchar(110)%2Bchar(116)%2Bchar(101)%2Bchar(110)%2Bchar(116)%2Bchar(115)))%20Order%20by%20[name])%20T%20Order%20by%20[name]%20desc)>0%20--

The decoded entry looks like this:
pageid=830 And (Select Top 1 +name+ From (Select Top 1 [name] From [syscolumns] where (id = (SELECT TOP 1 id FROM [sysobjects] WHERE name = p+a+g+e+c+o+n+t+e+n+t+s)) Order by [name]) T Order by [name] desc)>0 --

To use within EnCase, select (blue check) the IIS log and then run the EnScript, check the console for results.

Download Here
(tested in v6.5)

Sunday, July 22, 2007

Export EnCase evidence file to DD image

I had a need to convert an EnCase image file to a DD image. There are several ways to do this, but many require using 3rd party tools or restoring the original drive. So I wrote an EnScript that can do it natively within EnCase preventing me from having to use 3rd party tools.

Wen you run the EnScript, it will write the DD image to your default export folder (so remember to set it correctly) and name it the same as your evidence. Obviously, the normal rules apply of writing a file out to a file system that has size limitations (FAT), so consider that when exporting your DD image and use the appropriate file system that can deal with large files. I may add the ability to "split" the files in the future.

Speed is not blazing fast, but it works.. ;) You can estimate about 1GB per minute for an average computer system.

One exported, the MD5 hash of the DD file should verify with any 3rd party tool to be the same as what EnCase reports. MD5 reported by EnCase:



MD5 reported by WinHex on exported DD file:



Download Here

Tested in EnCase v6.5

Saturday, July 21, 2007

USB Device History EnScript

I finally got around to updating my USB device History EnScript to extract some additional information. The EnScript now extracts and lists all previously connected USB devices via the USBSTOR key, then lists all the devices from the DeviceClass keys, then lists all the Mounted Devices, their associated assigned drive letters and then attempts to map a drive letter to any of the previously connected USB devices, if the information still remains.

The output is to the Console tab for now until testing is finished. The output is tab-delimited so it can easily be copied to the clipboard and then pasted to Excel or saved to a file and then imported into Excel.

Tested in Windows 2000, Windows XP, Windows 2003 & Vista

Download Here
(v6)

Download Here
(v5)

Wednesday, July 18, 2007

Recovering MFT records from unallocated space or $Logfile

The $Logfile in NTFS file systems is a transaction journal of changes to the $MFT. You can commonly find file fragments and MFT records in this file. You can also sometimes find MFT records in unallocated space. MFT records are fairly easy to read once you know the structure, but I wanted an easier what to extract them and put them in a report type display. The value of searching and looking for old MFT records is that you can often find MFT records that show the filename of a file that no longer exists and extract the metadata about that file, such as timestamps and what the parent folder was.

To use this EnScript, conduct a keyword search for the MFT record header of 'FILE'. A good keyword is FILE[0\*] marked as GREP and case sensitive. Search the $Logfile, unallocated or any other file you want. Once the search is completed, view the results and select (blue check) the search hits you want to extract into readable text:



Once you have selected certain search hits (or all of them) run the EnScript and look in the console. Valid MFT records will be decoded and written out into the Console for easy reading and you can copy and paste into a report if you wish:



In the future I will add the search function into the script itself so you don't have to manually perform the search, I was just lazy and wrote it to fulfill a quick need. I also have an Enscript that will decode INDX (directory entries) records found in the $logfile (or any other file you wish) which I will publish soon.

Tested in v6.5
Download Here

Adding Hash values to an existing .hash file in EnCase

In my previous post I explained that in the past I have had the need to import hash values from a text file into an EnCase .hash file for use by EnCase and therefore I created an EnScript to import from a text file. In addition, I have also had the need to add hashes to an existing .hash file in EnCase.

You can easily make a hash set in EnCase, but you cannot add to an existing hash set within EnCase. To make matters worse, what if you don't have the files that were used to create a hash set, for example, if the hash set was given to you by another examiner? You would have to create a new hash set with the new files and then also keep the existing one.

Therefore, I wrote an EnScript to hash and then add selected (blue checked) files into an existing EnCase .hash set. The main purpose for writing this was so I could continually add hash values of hacker tools or malware into one hash set, without having to have or maintain the original files to rehash them in order to make a new hash set.

Enjoy.. (tested in v6.5)

Download Here

Tuesday, July 17, 2007

Importing hash values from a text file into EnCase

While doing an compartmentalized team investigation, I had a need to look for several dozen files that I did not actually have possession of as they were collected by another group. I was given a text file with the hash values of the files I was instructed to look for. I needed a quick way to import the hash values into a hash set for EnCase.

This EnScript reads a simple comma delimited text file with 3 fields per line; filename,size,hash. The name and size are ignored (the file was made by a third party utility) and the hash value is read in and a .hash file is created for use by EnCase.


Download Here

EnCase EnScript to quickly sort last written timestamps on registry keys

One of the many analysis techniques that I use when looking at compromised computers is to analyze registry keys and the last written date on the various keys. If I have a time frame that I am focusing on based on some other type of artifact, I commonly look at all the registry keys that have a last written date near my target date.

I wrote an EnCase EnScript to mount the registry hives and then dump all the registry keys and their last written dates into a Bookmark Log Record view so I could then sort them, export them, print them or whatever. Commonly I used to just mount the registry hives and then select the "show all" and then sort the files and registry keys at the same time and in the same view. That method is still a valuable one, but I wrote this so I could make bookmarks and separate the registry keys into their own bookmark area for closer analysis.

To use this EnScript, copy to your EnCase EnScript folder and then refresh your EnScript folder in EnCase (if EnCase is currently running). Simply double-click on the EnScript and it will mount the registry hives and dump the data in the bookmark tab, log records subtab.

*Note that the Bookmarks->Log Records tab has a hard-coded column named "Last Accessed", although registry keys only have a last written timestamp. I have populated that column with the last written timestamps.

Download Here

Saturday, July 14, 2007

Obtain Service Pack/Patch information quickly in EnCase

In almost every forensic report that I write, I include the OS type, service pack level and patches that have been applied to the OS. This information sets the foundation as to what level of OS is installed and starts to give indications as to what is possible in terms of exploits against this machine.

This is a quick EnScript I wrote to extract this information from the registry and print to the console tab of EnCase so I could copy and paste all or a portion of it into a forensic report.

*note - this currently does not work on Vista

Download Here

Tuesday, July 10, 2007

Vista Bitlocker in EnCase

During CEIC 2007, Dominik Weber gave a great presentation on Vista Bitlocker and how EnCase supports viewing Bitlocked drives. This presentation is a high-level overview of the various Vista bitlocker features and some things an investigator should be aware of when conducting forensics involving a bitlocker drive.

Download Here

Office Metadata EnScript

A colleague in South Africa (peace OB) asked me for a script that could quickly kick out MS Word MetaData to the console and bookmark them for review. This is a pretty specialized EnScript, but I figured others may have the same need.

Here is sample output in the Console:




Download Here

Sunday, July 8, 2007

UserAssist Registy Keys EnScript

A lot has been written about the UserAssist keys and their value, no need to repeat the same mantra.

This is an EnCase EnScript I wrote several years ago to decode and bookmark (and export) the UserAssist keys for all users.

Download Here

You also need to download this Include file and place it in your \Program Files\EnCase6\EnScript\Include folder:

Include File

Wednesday, July 4, 2007

Exporting Program Icons EnScript

One of the other techniques I often use when looking for malware, hacking tools and other signs of malfeasance is to examine the program icons in various programs. Icons are embedded inside each executable file. Not all executables have icons, but ones that do might indicate something is wrong. For example:

You locate a file named svchost.exe and it does not match any hash set that you have. You scan it with anti-virus and nothing is detected. You export the file and see the following:


Obviously something is not right. Recognizing a icon like this is an easy way to identify problems. Now, there are other ways to probe a file and determine its purpose , but I wrote this script to kick out all the icons in selected (blue checked) executables so I could quickly visually scan them (low-hanging fruit). If the executable does not have an embedded icon, then nothing is exported.

Additionally this could have some very interesting applications by creating a hashset of just icons. Then, regardless of the file's hash itself, by extracting and hashing the icon, you could possibly identify files by the icon alone, regardless of what the overall hash is of the file. This possible negates the issue of different hashes caused by different versions of the file as well as if the file has been altered, packed or compressed with a runtime packer, thus altering the file's hash.

To install, just copy the EnScript to your EnCase EnScript directory and then double click. It will ONLY process files that are selected (blue checked. It skips files that are selected, but not EXE). All icons of selected executables are exported to your default export folder in .ico format so you can set your Windows Explorer folder view to thumbnails and view them quickly.

Download Here

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles