Monday, November 19, 2007

Vista Volume Shadow Service (VSS) Information - Assistance Request

*Edit 11/20/07 - For clarity, I renamed this blog to Vista VSS information since that is actually the information I am trying to extract, not the System Restore Point information.

Windows Vista introduced several new features, one of which I think will have a huge impact on computer forensics, that being the "Previous Version" feature. The "Previous Version" feature uses the Volume Shadow Service present in Windows 2003, but brings it to a new level by making block level copies of clusters that can contain user files (documents, images, etc).

I have been looking into the new VSS storage method and I think I have found a way to extract some good information about the VSS (step one). Then once I get that figured out, I hope to write an EnScript that might be able to extract the files that have been stored inside the VSS.

This is where I need some assistance from those who have a either running Vista machine with EnCase loaded or image file of a Windows Vista system that can be viewed in EnCase 6. I have written an EnScript to highlight a record of information in the VSS files, but I am not sure yet what the various differences can be based on types of machines, number of drives, etc. So I am asking for assistance by downloading and running the EnScript below and then submitting that back to me so I can compare the various records to see what the differences are.

The EnScript below searches for a record identifier, then bookmarks possible valid records. It also exports the record to a raw file in your default export folder (one file for every valid hit). My Initial research shows one record is present for each VSS file in the "System Volume Information" folder.

The EnScript is not compiled and is readable by anyone, so you can see what it is doing. I have heavily commented each line of code to explain what the EnScript is doing, line-by-line. It is fairly simple. It is looking for a hex value present at the beginning of each record, then reading a value which indicates the length of the record and then bookmarking/exporting that record. The record does not contain anything I consider super-sensitive. The record does contain the name of your machine, the workgroup/domain it belongs to, your machine GUID, some timestamps, the VolumeGUID and the label of the volume.

If you are uncomfortable with sending me this information, thanks for your interest, but stop here.

For those willing to send me this information, please download the EnScript below, preview/load a Windows Vista system in EnCase 6, select all files with GUID names in your "System Volume Information" folder and then run the EnScript.

Once completed, look in your default export folder (C:\Program Files\EnCase6\Export), review the contents to make sure you are comfortable with sending me the contents. Feel free to edit any of the Unicode strings (machine name/domain name, etc) in the exported data with an editor to redact anything you don't wish to share with me, just be careful to preserve the original format of the record. If you are then comfortable nothing sensitive is contained in the files, zip up the exported files and send them to me at lance (at) I will not be sharing any of the submitted files with anyone else. Please indicate when sending information, what version of Vista it is.

Those of you who participate and send me exported data, I will send you beta/final versions of the EnScript as a token of appreciation for your assistance in its development.

Written for Encase v6

Download Here

Thursday, November 15, 2007

New EnScript Features in EnCase 6.8

As I blogged about earlier, EnCase v6.8 was released yesterday (11/14/07). For no other reason than the new EnScript features, you should consider upgrading. There is a long list of fixes and enhancements, but the new EnScript features are very cool.

The first new feature seems trival, but its a very welcome addition to now have line numbering. It is turned off by default, but if you go to "tools" -> "options" -> EnScript Tab. There is now a checkbox that says "Show line numbers".

Checking this box will immediately enable line numbering in any/all EnScripts you may have open for editing. Then, when you compile the EnScript if there are any syntax errors, EnCase will generate an error in the "Output" tab and show you the vertical line number and horizontal position of the code that generated the error.

Very cool!....

The second new feature is even better! You can now do real-time debugging of an EnScript, including setting breakpoints and watching variable values during execution.

How it works
To enable this feature, you need to first create a project. In EnCase, select "View" -> "Projects". In the Table pane (upper right), right-click anywhere and choose new (or press the Insert key). Name your project whatever you want and then select the EnScript you want to debug:

Once you select "OK", go back to the EnScript editing window and you should see the "Run" button has been replaced by a "Start Debugging" button. You can now set a breakpoint by clicking your mouse anywhere on the left column where the line numbers are now displayed. This will cause a red ball to appear on the line you clicked on, enabling a breakpoint on that line (you can set multiple breakpoints). Then when you run your EnScript, program execution will pause when it reaches the line where you placed the breakpoint. You can then continue, step over, step into or break the execution at that point. You can also view the value of all the variables at that point of execution in the lower view pane.

Very nice....Although its not yet a full-featured IDE, this will definitely help when debugging and developing an EnScript!

EnScript to export x bytes around search hit with HTML report

A few weeks ago I posted an article and EnScript to export x bytes around a search hit. You can read about it here.

I received an email from a reader asking if I could modify it to create an HTML report of the search hits, with the search hit being highlighted in red and then some additional information in the report. Seeing how there was nothing interesting on TV, I took the time to modify the existing script to create an HTML report.

How it works:
Run your keyword search against your evidence. Once the search is complete, view your search hits, then select (blue check) the ones you want to export (one, many, all). Then run the EnScript. The EnScript will take each search hit that you have selected and carve out the text around the keyword depending on the before and after integer values you provided (2000 before and 2000 after is default). This new version will also create a simple HTML "Proximity Report" in your default export folder if you select the "Create HTML report" check box on the starting menu.

The HTML report is nothing fancy, but I guess it serves the purpose.

Both are written for EnCase v6

New version with HTML report
Old version with no HTML report

EnCase v6.8 is now available

EnCase v6.8 was released yesterday. This version has several bug fixes and some changes to the interface that may take a little getting used to.

Head over to, input your dongle ID and you will receive an email with a link to download the latest version.

Wednesday, November 7, 2007

Extract MFT records from Memory dump

I have been following the development of several tools to extract evidence from memory dumps of live machines. There have been several tools developed to assist with this, including several listed on Andreas Schuster's blog.

Traditionally, examiners would run the "strings" command against collected memory dumps (if they had them) and that was it. In the past two years some tools have been developed and showcased during the DFRWS and other various conferences. Some of the tools attempt to extract the running process list from the captured memory.

I decided to start developing some tools in EnScript to extract information from memory dumps. I have 'tools' in mind that I want to develop and this is the first one. This EnScript will search any selected (blue checked) file in EnCase for MFT records, based on the MFT record header of FILE* or FILE0. Once found, the EnScript will attempt to parse out the Standard Information Attribute for the timestamps associated with the file/folder and then all Filename Attributes for the name of the file and the associated timestamps stored in the Filename Attribute. The idea behind this EnScript is that there may be MFT records in memory (typically thousands) that are of interest to you, such as malware or hacking tools, etc.

Any successfully parsed records will be written to the console and also bookmarked.

How it works:
Typically, memory dumps are collected as one large 'dump' or file that contains the contents of memory. If you add that file into EnCase (drag and drop into an open case), then select that one file and run the EnScript, all parsed records will be displayed in the console and bookmarked.

What it collects:
It currently parses any found MFT records for the Standard Information Attribute data and also the data contained in the Filename Attribute, including the filename and associated timestamps.

What is does not parse:
The EnScript currently does not parse out directory entry contents. Each directory has its own MFT record (which will be parsed), but the contents of that directory is either stored as resident data in the MFT record or as non-resident data in a INDX buffer. Currently this EnScript does not parse and display the contents of directories.

Written for EnCase v6

Download Here

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles