Saturday, December 26, 2009

Forensic review of Windows 7 - Part II - File system

Windows 7 supports the same file systems that Windows Vista supports, i.e. FAT, NTFS & exFAT. Internally, Windows 7 uses the same underlying file system as Windows Vista, NTFS version 3.1. Windows 7 continues to utilize the transactional filesystem database, located in the \$Extend\$RmMetadata folder.

Windows 7 continues to not update the last accessed timestamp unless other timestamps (written) are triggered. This is a registry setting that has been available since Windows 2000, but not enabled by default until Vista.

The exFAT filesystem used in Windows 7 is the same as the version used in Windows Vista and is designed for removable drives. The latest version of EnCase supports the exFAT file system and will display the exFAT volume contents similiar to this example:

When formatting external drives and flash devices, Windows 7 will completely WIPE the contents of the volume UNLESS the "QUICK FORMAT" option is selected, regardless of whether NTFS, FAT or exFAT is used. When the "QUICK FORMAT" option is selected, the prior data remains in unallocated space of the newly created volume and can be carved.

Thursday, December 24, 2009

Forensic review of Windows 7 - Part I

Over the next few weeks, I will be documenting and posting some basic information about Windows 7 from a forensic perspective. I know many of you may have already encountered a Windows 7 box or have been exploring it yourself. Please feel free to post comments with whatever little forensic nuggets you have found useful.

Initially looking at a Windows 7 image, it closely resembles a Windows Vista installation (no surprise there). There are a few small differences and changes which I will document with additional posts.

Starting off simple, here is a view of a clean Windows 7 install.

Take note there are two separate partitions. During a clean install where the disk does not contain any pre-existing partitions, the Windows 7 installation process creates two partitions, even though you specify one partition. The installation process warns you that an additional partition may be created and in fact a 100MB "hidden" partition is created. There is a little trickery you can do to avoid the 100MB partition, but it’s not intuitive and it is likely a typical user will not know how to avoid it from being created, so you are likely to see two separate partitions, one 100MB and the main partition which by default is the remainder of the physical disk. The second partition is important because it will likely skew any link files you review. EnCase assigns drive letters in chronological order as they are encountered in the partition table, so the hidden partition gets the "C" volume letter, but really it’s a hidden partition and does not get a letter assignment. The main partition gets a "D" assignment, but really it is "C". The contents of any shortcut files will point to "C", which in EnCase in "D".

If the disk has a partition scheme already defined (i.e. it has an older version of windows or it was partitioned prior to starting the installation) then it continues to just use the one defined partition or whatever partitions were defined prior to starting the installation process.

A view of the typical default folders. Looks very "Vista-ish"

A view of a user's profile:

Internet History folders:

For the most part, if you have done an exam on a Vista machine, you will feel right at home with a Windows 7 image and should have no problem finding the common locations for artifacts.

Sunday, December 6, 2009

Export x Number of bytes around selected search hits - categorized by keyword hit

Updated - December 15, 2009 - Third version now available below

This EnScript is an update to the previous post here.

Changes & updates in this version:

1. Now includes the MD5 hash of the file the hit is located in (internal and unallocated files are excluded).

2. Keyword column now shows the hit text as well as the keyword. This is in case you used a GREP expression, it will show the expression and the hit.

3. The AFTER count now starts at the end of the keyword hit instead of the the beginning of the keyword hit.

4. The red highlighted keyword hit should now be accurate and only show the exact characters in the keyword hit.

There are now three versions of this EnScript available.

The first version is from the original EnScript that creates one "Proximity Report" with all the hits you selected from the search hits pane.

The second version is an adaptation from the original based on a reader's request. This second version creates one proximity report for each unique keyword hit. This version was created to easily facilitate redaction of certain hits.

This third version creates one proximity report per keyword. i.e. if you have five different keywords that you have selected in the search hit pane, then five different folders are created and in each foler is one report containing all the hits for that keyword.
Download here - updated original version
Download here - updated adapted version
Download here - updated third version

Thursday, November 26, 2009

EnScript to create thumbnails of selected video files

This EnScript was designed to take all selected (blue checked) video files (avi, mp4, 3gp, etc.) in the case and to automatically create thumbnail pictures for each video. In order to do this, a program named “Video Thumbnails Maker” is required. This is a free program, but in order to use it in the method described below, you need to give a donation of $25.00 or more to the author of the program (I have no affiliation with the author, I use this program because its the only program that works from the command-line and works reliably, just make sure you have all the appropriate codecs loaded).

Once you give a donation, a reg key is sent via email that enables the program to be used from the command line (Platinum level). It is this feature that is required in order to integrate it with an EnScript. The program can be downloaded from and can be used for free via the GUI and you can manually convert videos using the GUI but you will not be able to use it as the described below until you register it and receive the activation code, which enables the command-line features.   


The “Video Thumbnails Maker” program supports many of the different video types, but I have found AVI to be the most reliable video type that seems to work 100% of the time.

To use this EnScript, simply select any video files you wish to make thumbnails of:

Then run the EnScript named “Make Thumbnails of selected video files”. The EnScript will create a root folder named “Video Thumbnails” in the default export folder specified in your case. Inside this folder, the EnScript will create a sub folder for each video file that you selected (The hash value is appended to avoid a collision of two files named the same but from different paths):

Inside each subfolder that is named after the video that was exported, the original video and all the thumbnail photos will be present. In addition, there will be a text file named “Video_Header.txt” that contains all the video metadata, name, path, hash, created date, written date. This information can be copied into an external report as the header information describing the video, then show all the thumbnails.

You can see that the thumbnails are all named after the original video, along with a timestamp of when in the video the thumbnail was created. In the example above, a thumbnail was created every second as that is what I have set in my EnCase.vtm file.  You can then quickly scan the images in Windows Explorer thumbnail view to see which picture contain valuable images and which you can delete. In the same folder is a text file with the video metadata that can be quickly inserted into an external report:

The “Video Thumbnail Maker” program  has many different options that you can set and then save those settings to a “preset” file. When you install the “Video Thumbnail Maker” program, there is a subfolder created under the program folder of “C:\Program Files\Video Thumbnails Maker” named “Presets”:

The five “Base_Presets_x.vtm” are installed when you install the program the first time. In order for the EnScript to work with this program, you must create a preset file named “EnCase.vtm” with the settings you want to use when creating the thumbnail pictures. Here is an example of my settings as I set them in the program GUI and then saved them to the “EnCase.vtm” preset:

This last option screen is where you can set the time sequence for your thumbnails. You can see above that I have the “Specific Time” option selected and the box below says “2 secs”, this means that regardless of how long the video is, this program will create a JPG thumbnail picture every two seconds until the end of the video.
At the top of this last screen you can see the “export” option. This is where you can set all the options you want to use with the program and the export them to a file named “EnCase.vtm” in the c:\Program Files\Video Thumbnail Maker\Preset\” folder. Whatever you save into that preset file are the options that the EnScript will use when creating your thumbnails. Some common mistakes:
1.   Make sure on the Environment screen, in the "output" section,  you do not select the “Save thumbnails to your folder” option. By default the program will place the thumbnails in the same folder where the video file is found, which is that subfolder that the EnScript automatically creates.
2.   When trying to create thumbnails of video files other than “AVI”, I have had to change the “Video Rendering” option on the Environment page between “Engine 1” and some of the other options. “AVI” seems to work great with “Engine 1”, but sometimes .3GP, MP4 and others fail with that option, so changing that option to “Engine 2” or “Extreme” usually fixes the failure.
Once you set all your options and save them to the EnCase.vmt file, you will not need to reconfigure the program unless you want to change some of the settings.
One valuable use for this EnScript is to export out any videos and then quickly scan the thumbnail images in Windows Explorer to see if it contains any images of interest. 

Sunday, November 15, 2009

EnScript to find Limewire download remnants.

This EnScript was written for a reader who requested an EnScript to search for the common "URN:SHA1:{Sha1_base32 hash} associated with Limewire downloads. When run, the EnScript will search SELECTED files for that tag. If found, it will read the SHA1_base32 value that immediately follows the tag and then compute a SHA1_base32 hash for all the files that have matching extensions to those you specify. If a file with the same hash is found, it is bookmarked as a matching file.

Once completed, check the bookmark folder for two different folders. One contains any "URN:SHA1" tags found in the selected files, and the second one is each file that matches a found SHA1 value

Download Here

Sunday, November 8, 2009

EnScript to display the number of search hits per file.

A reader asked if I could write an EnScript to calculate how many search hits were in each individual file, instead of the total number of search hits that EnCase displays.

Below is an EnScript that will calculate the number of unique files with each selected search hit, as well as how many hits in each file. To use, conduct your search, then select the search hits you want to include in the report and then run.

Once you run the EnScript, it will automatically open Microsoft Excel (required) and populate three columns, Search Expression+(unique count), Full Path, and hits per file.

Thursday, October 29, 2009

EnScript to create LEF with files based on extension

I wrote this EnScript for myself to essentially create a separate Logical Evidence File with all the user generated files to simplify review. It is a modification of the EnScript here that exports files based on extension.

To use, simply run the EnScript and it will prompt you for a list of extensions, by default most of the common user generated extensions are already included, but you can add or remove extensions from the list.

Once run, it will grab every file that has an extension in the list you provided and then create a LEF with just those files, maintaining their original paths and metadata. The files are placed in the LEF in a folder corresponding to their extension, making review easier. If you check the first box, the LEF will automatically be loade dinto EnCase after its created. The second one causes all compund files to be automatically mounted. Office files, Zips, Thumbs.db, etc. will all be mounted to reveal their contents and additional metadata.

As a bonus I also created a folder in the LEF called high ASCII filenames which will contain any files/folders that are named not using the low ASCII character set. This means it will find and categorize all the foreign language files that do not use the standard Roman alphabet.

Download Here

EnScript to export x bytes around search hits - UPDATED

A reader asked if I would modify my original EnScript here so that instead of exporting one HTML file with all the exported search hits, that it would export one HTML for each search hit. He was dealing with 50,000+ search hits and the EnScript was creating one huge HTML file and it would not load in a browser.

Therefore, I have modified the original EnScript to create one HTML file for every search hit and also place them into categorized folders based on the keyword.

Download Here

EnScript to obtain connected USB devices from System Restore Points (XP)

A reader requested that I modify my original USB information EnScript to work with the snapshot copies of the SYSTEM registry hives that are saved in the System Volume Information folder by the System Restore service in windows XP.

I have modified the original EnScript to only parse the registry hives found in the system Volume Information folder. This is a seperate EnScript and does not parse the active registry hives, only the ones in the System Volume Information Folder.

Download Here

Wednesday, October 28, 2009

EnScript to decode Yahoo chats in unallocated - UPDATED

A few days ago I posted an EnScript to decode Yahoo chat data in unallocated. You can find the original post here.

I have updated the EnScript to bookmark the data and put the decoded chat data in the comment of the bookmark.

I have also updated the pop-up window that displays when invalid data is encountered.

Download Here

Friday, October 23, 2009

EnScript to decode Yahoo chats in unallocated

Awhile back I created an EnScript to search for keywords that may appear in encrypted yahoo chat logs in unallocated. You can read about that EnScript here.

After creating that EnScript, I created a second one to parse the encrypted chat logs that you may find in unallocated. The following EnScript can be used to decode the chats that you may find in unallocated.

Before running the Enscript, click the cursor on the first character of the UNIX time stamp of the found Yahoo log data in unallocated. The structure of the Yahoo log files are date, type, user, size, message, the a dword null (see below). Once you click the cursor on the first byte of the UNIX timestamp, then run the EnScript and you will need to provide the local Yahoo user name, as this is used as the XOR key.

Here is a screenshot of some yahoo logs in unallocated as well as their structure. Take note where the cursor is placed (solid blue) before running the EnScript.

The cursor is placed on the first byte of the UNIX timestamp and then run the EnScript. It will continue to parse all the messages found until the data structure is no longer valid. After the highlighted data blocks in the picture above, you can see four null bytes, then another UNIX timestamp. The EnScript will continue parsing all the messages as long as it encounters this structure and/or the data values in the TYPE field and USER field contain valid values.

Friday, October 2, 2009

EnScript to search unallocated for built-in File Signatures

This EnScript started as a kind of test EnScript for something else, but I thought others may find it useful.

By default, EnCase is installed with several hundred file signatures preconfigured in the File Signature tab. This EnScript uses those and any additional signatures that you may add and searches unallocated space for any that you select (blue check). So if you select all of them, then it will search unallocated for all of them. If you only select the signatures in the graphics folder, then only those will be searched. Any file signatures that are found are catagorized and bookmarked into a bookmark folder.

When you start the EnScript a simple window asks if you want to search on the cluster boundary or sector boundary. Normally, cluster boundary (default) is the best and fastest choice, since all the signatures should be found only on cluster boundaries. If you want to override this option and search on byte boundaries, then check the box. Checking the box will be much slower (about 8 times slower) since it will check the beginning of every sector instead of just the beginning of every cluster.

Once the EnScript is done, it will create a folder in the bookmark tree and then a sub folder for every file signature that you searched for and was found in unallocated.

Benchmark: A search for all included file signatures took 3.5 hours with 40gb of Unallocated space and having the checkbox selected (searching *every* sector).

A search for all included file signatures took 1.5 hours with 40gb of Unallocated space and having the checkbox unselected (searching *every* cluster).

Download Here

Wednesday, September 30, 2009

EnScript to Catagorize all files by their extension and then provide a count

Several months ago I did an EnScript to count up all the file extensions and then provide a summary of all the extensions and how many files with each extension. You can find that EnScript here.

This EnScript is similar but it makes a bookmark folder for every file extension and then bookmarks each file into the respective file extension folder for quick review.

The number next to the file extension is the number of files that match that extension. You could use this to quickly look at common file extension types or to identify what file extension types are prevalent on a specific system. Depending on how many files you have in your evidence, this may take several minutes to generate (~5 mins for 100,000 files).

Download Here

Tuesday, September 29, 2009

EnScript to find and bookmark foreign language files & folders

This EnScript was designed to recurse all the evidence and check the name of every file and folder. If the filename or foldername contains an ascii character higher than decimal 127, then it is bookmarked. This catches most languages that do not use the standard roman alphabet.

Run the Enscript and it will display a message if any files/folders are found and they are placed into a bookmark folder.

In the example below, it detected a few files with Thai characters and a few documents with latin characters that are not part of the roman alphabet. The EnScript will also detect other languages such as Arabic, Japanese, Chinese, etc.

Download Here

Monday, September 28, 2009

EnScript to alert you if there is data in the unused disk area of a physical device

This EnScript was designed to quickly scan the sectors classified as "Unused Disk Area" & "Volume Slack" for any data. If any data is found in these areas, then a bookmark of that sector is created and at the end of the EnScript a warning message will be displayed indicating that data was found in this area.

Data in this area is generally not a problem as long as you search and process all objects on the physical device. This is just a quick way to indicate if there is data and a way to quickly review what data exists in that area without having to scroll sector to sector.

Simply run the EnScript and it will check the "Unused Disk Area" of all the physical devices and then display a warning message if data was found. A bookmark is made of every sector that contains data in Unused or Volume Slack. You can then view the bookmark tab and quickly scroll through the bookmarks looking for recognizable data.

Download Here

Sunday, September 27, 2009

EnScript to show what folders have certain file types, calculate total bytes and number of files.

This EnScript was written by a request to display all the folders that contain a certain file type (by extension). The EnScript will also calculate the sum of the file types in each folder and file count in each folder.

Enter the file extensions you want to look for then click "OK". Once it runs, it will spawn Microsoft Excel (required) and populate the worksheet with the calculations:

Download Here

EnScript to summarize visited Internet hosts

This EnScript is meant to provide a quick and easy summary of the hosts that have been parsed using the SEARCH->Internet History function in EnCase.

This EnScript ignores the entire URL and instead just focuses on the host (URL Host column). It will then take all the hosts and count them up based on the hit count and then provide a summary in Excel.

You must select (blue check) whatever history you want to parse, normally the "history" folders, then run the EnScript and it will automatically spawn Microsoft Excel (required) and populate the worksheet.

Download Here

Thursday, August 27, 2009

EnScripts for cell phone hex dump files (.pm).


I am currently working on developing some EnScripts to parse .pm dump files that are obtained from using a flasher box (SHU, JAF, etc.). I have several .pm files, but not very many from all the different series that contain useful data. I am currently working on Nokia.

If anyone has any .pm files they are willing to share, specifically with call log info (received, missed, outgoing) and/or contacts and/or SMS messages, I would greatly appreciate it and will certainly share the EnScripts I develop as a result.

I am currently looking for Nokia series 30, 40 and 60 .pm dump files.

If you are able to share (all submissiona will only used internally for the development of EnScripts), please send to lance(at)forensickb(dot)com.

Saturday, August 22, 2009

EnCase EnScript to hash selected files and provide SHA1_Base16 & SHA1_Base32 values

A fellow examiner asked for an EnScript that provides the base32 SHA1 hash value for selected files. This EnScript generates the common base16 SHA1 hash value for selected files. In addition, it converts the base16 SHA1 hash value to a base32 SHA1 value for use in limewire investigations.

To use, just select the files you want the SHA1 values for and then run the EnScript. The output is in the console tab.

Download here

Updated EnScript to hash selected text and provide MD5, SHA1-Base16 and SHA1-Base32 values

I recently posted an EnScript to provide the hash value of selected text within EnCase.

This is an update to that EnScript and it provides the MD5 hash, SHA1_base16 (hex) hash and SHA1_base32 hash values for those that do limewire type investigations.

Download here

Sunday, August 16, 2009

EnScript to hash selected text

I was doing some testing and needed to hash just a portion of some files, not their entire contents. So I decided to write a quick EnScript to hash just the selected characters from within a file.

To use this EnScript, simply select whatever characters you want to include in your hash results and run the EnScript.

The EnScript will automatically determine which file you have text selected in and the number of bytes. The EnScript will calculate a MD5 and a SHA1 hash of the selected text:

Download here

Wednesday, August 12, 2009

EnScript to Export files based on extension - Maintain Path and Timestamps

I recently released an EnScript that exports files based on extension, you can see the original post and EnScript here.

Based on a request from Timothy LaTulippe & Dave Kleiman. I have made two modifications. There is now a version that maintains the original timestamps of the exported files. The second version maintains the timestamps and the original export path.

You can download them here:
Export file based on extension & Maintain TimeStamps
Export file based on extension & Maintain TimeStamps & Original Path

Friday, August 7, 2009

Maine State Police CP Project

A few months ago I posted an EnScript and some information about a project by Sgt. Glenn Lang of the Maine Sate Police. You kind find the original post here and EnScript.

Sgt. Lang asked me to post the following message:
Flint Waters and the folks at the Wyoming ICAC have tied our Harvester into their Tool Kit.

Its only been active for a short time, but it has already generated over 40,000 key words to be used in searching for contraband on suspect media.

While I am culling the key words into usable lists I have created a new one from the big list with 265 grep key words that are from some of the most frequently seen CP movies.

If you are interested in this list send me an e-mail and indicate where you are from.

All other items related to this project can be downloaded here:
User: Guest2
Password: HasHerGL (it is case sensitive)

Sgt. Glenn Lang
Supervisor / ICAC Commander
Maine State Police Computer Crimes Unit
15 Oak Grove Rd. Vassalboro, Maine 04989
Phone (207) 877-8081
Fax (207) 877-8091

The Top 265 hex keywords are posted here

EnScript to convert individual OSX .emlx files into MBOX format so EnCase can parse it.

On a request from a person I consider a friend and whom I have learned a lot from, Pat Lim, I created this EnScript to help parse OSX email messages.

EnCase can parse many different types of emails, but unfortunately emails in the native "mail" application in OSX is not supported. Pat did some research and figured out the structure of the individual email files typically stored in the /[user]/Library/Mail/POP/Inbox folder. Each email is stored with a .emlx extension.

This EnScript will process selected (blue checked) .emlx files. The individual .emlx files will be reformatted and concatenated into one single file and placed in your default export folder for the case. This single file will be in the MBOX format and can then be added into EnCase and parsed. The emails will show up in the records tab if you select the email parse option from the search dialog, or you can simply right-click on the exported MBOX file and choose "view file structure".

Download Here

EnScript to Compare evidence against hash set(s) and export files not in the hash set(s)

On an idea from Timothy LaTulippe, this EnScript was written to basically "de-NIST" your evidence.

This EnScript will compare all the files in the case against whatever hash sets you select (aka all the NIST ones or your own custom Windows hash sets) and then it will export all the files that do not match any of the hash sets, maintaining the original paths.

First, select whatever hash sets you want to use and rebuild your library with the ones you want to include in the comparison:

Then run the EnScript and choose an export path:

If you check the LEF box, a logical evidence file will also be made with all the files that do not match any of your included hash sets.

Download Here

Thursday, July 2, 2009

EnScript to Export files based on Extension v1.1

A few days ago I posted a blog about a new EnScript I wrote based on a reader's suggestion here.

I have updated this EnScript based on a suggestion from Iain Kenny & Jerry Hatchett to add the feature to de-duplicate exported files based on the hash values. The initial screen now has a check box to perform de-duplication by hash values:

If you check this box, the EnScript will hash every file it exports and if any additional files match the hash values of previous files, the contents will not be exported. Instead, the duplicate file will be created, but the contents will contain the text "DUPLICATE" as well as the path of the ORIGINAL file with the same hash.

The log file "index.csv" will also indicate each file that is a duplicate and list the hash values for all the files.

Download v1.1 Here

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles