Tuesday, October 30, 2007

EnScript to read Windows Vista Firewall rules

I was messing around with some Vista stuff and I noticed that it maintains the firewall rules (exceptions) in the registry differently than in Windows XP/2K3. They can be found here in the registry:


So I decided to write an EnScript that reads the firewall rules and displays them in the console as well as creates some bookmarks. The EnScript, parses the SYSTEM registry hive and reads the firewall exceptions on a Windows Vista system. It then prints out all the ACTIVE firewall exceptions to the console.

In addition, three bookmark folders are created: All Active Firewall Rules, Active Firewall Rules with local port exception & Active Firewall Rules by Application. The first folder contains all the ACTIVE firewall exceptions. The second one only contains the ones that specify a local port exception and the third contains all of ACTIVE port exceptions but the first field is associated application so you can sort and look at what applications are associated with that exception.

Written for EnCase v6

Download Here

Sunday, October 28, 2007

EnScript Tutorial Part III

After being gone out of the country for nearly 6 weeks, I finally have some time to continue this tutorial.

In Tutorial II, we finished by building a basic EnScript that recursed all the evidence and printed the name of every object to the console. In this tutorial we will take it one step further and begin to make decisions based on certain criteria. In Tutorial II we finished with the following code:

The next step is to use conditional control structures to select only certain files based on certain criteria.

One the foundational conditional statements is a "IF" statement. An example of an IF statement is the following:

if (entry.Name() == "system"){


As the EnScript recurses the evidence, it will evaluate each object in the evidence to see if the name field is equal to "system" by answering the questrion of is it "ture" or is it "false". If it is "true", then any code in the curly braces will execute. It is important to note that this type of evaluation is case-sensitive and must be exact, so "System" or "System.dat" evaluate to be false with a file named "system" and the code in the curly braces would not execute.

In the above code, we have inserted the "IF" statement, but notice there are no curly braces as shown above. There are two ways to do control statements, the first is to use an opening curly brace and then a closing curly brace, putting any code you want to execute if the evaluation is true, inside the braces.

The second way is to not use any curly braces and then if the conditional statement evaluates true, then the very next line will be executed. If it evaluates to false, then it will skip the very next line. So in the example above if "if (entry.Name() == "system") is true, then the next line "Console.WriteLine" will execute. If it is false, then that line will be skipped and the script will effectively end, but if there were additional lines of code after the Console.WriteLine command, then they would execute, but in this case, there are not, so the script ends.

EnCase provides a few built-in functions to help make matching text a little easier. The first one I will discuss is the Contains() function. The Contains() function is a built-in function that will look inside a test string for a fragment and then return true id that fragment is inside the initial string. For example:

if (entry.Name().Contains("sys")){
// code goes here

In this example, as the EnScript recurses each object in the evidence it will evaluate the name field to see if it "contains" the letters "sys". If it does, then it evaluates true and the code inside the curly braces would execute. The Contains() function is not case-sensitive and it does not matter where the string fragment is located inside the initial string. The file name "system.dat" would evaluate true, as would the file named "mmsystem.dll" since they both have "sys" inside them somewhere. To learn more about internal functions such as Contains(), you can select the EnScript Types from the "View" menu. The Contains() function is a member of the String Class. If you look in the String Class, you will see the Contains() function and a brief syntactical explanation of its use.

If you need to evaluate based on case, then you cant use Contains(), but you could use the Compare() function. The Compare () function takes two inputs, the string you want to evaluate and then a Boolean value to indicate whether you want to evaluate on case sensitivity. For example:

if (entry.Name().Compare("system", true) == 0) {
// code goes here

The Compare() function returns a non zero value for any text which is lexically less than or greater than the test you are looking for. If the text is exactly the same, the Compare() function returns a zero (I know, it seems reversed since a zero traditionally means false in Boolean). This is why there is a "==0" at the end of the statement. This statement would evaluate true only if the file name was exactly "system", not "System" or "system.dat".

Once you have used an control statement such as "IF", you probably want to do something with that file, like read text from it or bookmark it. In this tutorial I will introduce the method to bookmark a specific file based on some type of criteria, such as the examples above. In future tutorials, I will detail how to open and read data from a file (file I/O).

To bookmark a object, you should first create a folder to put your bookmarks in. You could just bookmark your file in the root of the bookmark tree, but that would be messy and disorganized. To create a Bookmark folder to later place your bookmarks into, you use the following statements:

BookmarkFolderClass folder;
folder = new BookmarkFolderClass(c.BookmarkRoot(), "My Bookmark Folder");

The first line creates a variable named "folder" of the BookmarkFolder Class type. Then, the second line instantiates (creates) the object named "folder" in the root of the bookmark tree, naming it "My BookmarkFolder".

The next step is to then bookmark any files or folders that you want with the following command:

folder.AddBookmark(entry, 0, entry.LogicalSize(), entry.Name(), BookmarkClass::SHOWREPORT, BookmarkClass::LOWASCII);

I will break this down into segments. The first segment is "folder.AddBookmark". Above, you created a reference to a BookmarkClass object named "folder". To add bookmarks into that folder, you use the function AddBookmark(). The first segment says "add a bookmark into the "folder" object.);

The second segment are the inputs that the function expects to tell EnCase WHAT to bookmark, WHERE to bookmark and how to name the bookmark, as well as how to display it in the bookmark tab.

The first input (entry) is the entryclass object that you want to bookmark.

The second input is where do you want to start the bookmark from, in this example, from the beginning of the file (zero).

The third is the ending bookmark offset. In this example, to the end of the logical file.

The fourth input is the name of the bookmark as you want it to appear in the bookmark tab, in this example, the name of the file/folder object

The fifth input is the options, such as show in the report, show as a picture, etc. In this example, it will be shown in the report view of the bookmarks

The sixth input is the viewtype. This tell EnCase how to display the data you have bookmarked. Should EnCase show it in hex, Ascii, a timestamp or HTML page. In this example display low ascii characters (<128). Our finalized code using the examples explained above is:

This EnScript will recurse all evidence and look at each object for a file name or folder that is exactly "system". When found it will then bookmark that file/folder from the very beginning of the file to the end of the logical file. After running this EnScript, you should have a bookmark folder named "My BookmarkFolder" in the root of the bookmark tab and any files that matched this criteria, would be bookmarked in that folder.

Saturday, October 27, 2007

Online Virus scanners & Sandbox

When doing investigations, I commonly come across files that I either suspect are viruses/malware or that I am not sure what they do, and I am looking for some help determining what a specific file does before I invest the time to sandbox it on my own and do a dynamic analysis.

The two sites I use most often for AV detection are:


Both of these sites use multiple AV detection engines to scan the file that you upload and then present the results, usually within 60 seconds or so. This can give you a headstart and indication if you are in fact dealing with a virus or some type of malware. As always, the fact that nothing is detected is not a guarantee that it is not malware, in fact, I have found many executables that come back clean and then when I do the dynamic analysis, it is in fact malware that the AV companies have not included a signature for.

The third site I use has a large database of hash values for know good and know bad files. You can paste the hash value of a file into their web interface and it will tell you if that hash is in their database and come back with a green or red indication. Green being an application they recognize by hash as not harmful (i.e. calc.exe, or cmd.exe). Red indicated they recognize the hash value as some type of malware or hacking tool. The site is free and no registration or information is required to input the hash value of any file to see what their database has on that file. If you register with them (free), you can download a win32 app that adds a right-click (shell extension) option that you can use to right-click on any file and select fileadvisor and it will hash the file and send it to the database and then display the results. The URL for this service is:


The last site I will mention is a virtual sandbox. You can upload a file and then the service will run it and provide all sorts of interesting information about the file, such as what dlls it loaded, what files it opened, modified or created, any network connections it may make and or any DNS name resolutions it requested and any registry access. It certainly provides the initial basic information of a dynamic analysis and quite frankly has saved me a lot of time in the past. The site is free, although you have to provide an email address where the link to the report will be sent. If the file is known to the database, it will tell you it has already been submitted in the past and immediately allow you to view the report. If it hasn't been submitted before then it sandboxes the file and then you will receive an email in a few minutes with a link to the full report. This is where mailinator comes in handy.. ;) The URL for this service is:

Sunbelt Sandbox

As usual, use at your own risk and take the results with a grain of salt.

If anyone has any other sites they find useful, please feel free to comment and post them.

Tuesday, October 23, 2007

EnScript to detect use of "slacker.exe", anti-forensic tool

I was playing around with "Slacker", an anti-forensic tool that hides data in the file slack area of various files. The tool has been around for quite awhile and I have heard of its use a few times in real investigations, so I decided to finally write an EnScript to try and detect its use.

I am not into all the anti-forensic hype that goes around the Internet and various conferences, so I usually don't spend a lot of time trying to defeat anti-forensic techniques, they usually defeat themselves. In this case, I had some time to kill and decided to write something to try and detect data hidden with the slacker utility.

I have tested this with two versions of slacker. The one currently available for download as of today and an older verison I had archived:

Written for EnCase v6.

Download Here

EnScript to export x bytes around selected search hits

A friend was doing some eDiscovery work and needed to export some search hits for review by an attorney. He decided he wanted to export some of the text around the search hit so the reviewing party would have some context to evaluate the located search hit.

This EnScript was written to export x number of bytes before and after a selected search hit. To use, perform your keyword search like normal, then select (blue check) the search hits you want to export and run the EnScript. The EnScript will export whatever number of bytes before and after that you specify. If the search hit is closer to the beginning or end of the file than the number of bytes you specified to be exported, then the available amount of data from the beginning or to the end will be exported.

Written for EnCase v6, but should run in v5

Download Here

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles