Wednesday, May 26, 2010

EnScript to parse TIFF Metadata

An investigator contacted me this week about an investigation involving several hundred TIFF files that had been generated from a fax machine. The investigator had a need to quickly extract all the metadata out of the TIFF files. A couple different external programs could be used to do this, for example, ExifTool by Phil Harvey.

My goal was to create a quick EnScript to parse the TIFFs and provide the data without having to export the files out of EnCase. This caused me to take a closer look at TIFF format and the associated metadata that is stored inside. TIFF files are pretty common, especially in an environment where scanned documents can be found. This would include the processing stage of some e-Discovery jobs.

The TIFF file format is well documented. It can be found here. There are several fields inside a TIFF file that may be valuable, specifically a TIF that was generated as part of a fax transmission process.  A TIFF file that is generated from a fax, is commonly refereed to as a TIFF-F or a bilevel TIFF. There is an excellent discussion about the TIFF-F format in RFC 2306.

There are several tags (fields) that are commonly associated with a TIFF fax file that may be useful. The ones I have identified and included so far are:

Image File Width
Image File Length
Compression (identifies it clearly as a fax)

Image Description
Page Numbers

There are additional standard TIFF tags, such as data offsets, resolution, resolution unit, etc., but they don't have much value from an investigative standpoint. In addition to the standard TIFF tags, there can also be non-standard custom tags that are added by additional software, such as the Microsoft Document Imager (MDI) that is commonly used when a Windows OS computer is used as a fax.

When the MDI tags are present, there can additional information that can be useful to the investigator. For example:

Author (Windows user account)
Last Saved by (Windows user account)
Last Edit Timestamp
Last Print Time Timestamp
Create Date Timestamp
Last Saved Timestamp
Page count
Word count
Char count
....and several others...

These tags are basically the same ones that you typically find in a Microsoft Office OLE file (doc, xls ppt). 

The EnScript below will parse out all the standard TIF tags mentioned above. In addition, if there is OLE information, it will currently parse out the document name, author & last saved by name. I am still working on parsing some of the other MDI tags, but I don't have many sample TIF files that have this MDI information. If you have access to any TIF files that contain MDI information and are willing to share them, please contact me at lance(at)

Meanwhile, you can run the EnScript below against any selected TIF files in EnCase and it will bookmark the tag fields mentioned above, as well as print out the metadata information to the console tab. 

If there is MDI information, those fields that are currently being parsed will appear in the bookmarks as well as the message "There is MDI information present" in the console:

Please contact me if you have any TIF files that contain MDI information so I can continue to develop the EnScript to parse the additional pertinent fields.

Wednesday, May 19, 2010

EnScript to find and parse "vk" registry keys

Earlier today I posted an EnScript that parses the 'nk' registry records from any selected files in EnCase. You can read about that EnScript in the original post here.

This EnScript essentially does the same basic function, except it searches for 'vk' records, which are the records that hold data values. The registry hive holds different types of data in different records. A 'vk' record can have the data value "resident" inside the 'vk' record itself, or it can be "non-resident" and have its own record elsewhere in the registry hive.

Therefore, when searching for 'vk' records, it is common to find the record, but it either has no data value name and/or data value inside that specific record.  Using the same example I used in the previous post about 'nk' records, here is an example:

The "MountedDevices" folder (key) is a 'nk' record that we covered in the previous post. The data values are on the right side of the window. The data value names are things like "\DosDevices\C:", "\DosDevices\D:", etc. The data value itself is the value thats stored inside that specific data name entry. For instance the data name  "\DosDevices\C:" would commonly have a value similar to what you see here:

The value data inside the data value name is the hex values you see above.

This EnScript attempts to find 'vk' records and then parses them as best as possible. As mentioned, it is common for the actual data value to be stored elsewhere and therefore cannot be parsed. If the data value is smaller than 4 bytes, then it is stored within the 'vk' record along with the value name. Here is an example of the output of the EnScript:

In the screenshot above, I searched the pagefile. The value names can bee see in the comment field on the right. After the value name, the data value itself is displayed if it was resident to that 'vk' record.  You can see several bookmarks that have a value name, but no value itself. This is because the value was not resident to that record and is stored elsewhere.  Some value names are blank and therefore you will see the name "default" (as you would typically see in regedit or other registry viewer).

This EnScript only bookmarks the data.

Download Here

EnScript to find and parse "nk" registry keys

There has been a lot of postings lately in the forensic community about the value and information that can be gleaned from an orphaned 'nk' registry record that may exist in unallocated space. The 'nk' record holds the name of a registry key, i.e. the name of the folder when viewed in regedit or other registry viewing tools. It does not contain the data value itself.

Here is an example:

The "MountedDevices" item on the left side is the key (aka 'nk' record). The data values inside that key (folder) are 'vk' records (blue highlighted items on the right) and are not parsed by this EnScript. 

This EnScript can be used to search any selected (blue checked) file in EnCase. Commonly that would be  Unallocated, pagefile and active registry hives to find deleted keys. When you run the EnScript, you will be presented with date range fields. The 'nk' records (keys) are what have the last modified time stamp, so if you are looking for activity during a specific date range you can narrow or broaden the hits that are found by entering whatever dates/times you want in these fields.

Once you enter dates & times, press "OK" and all the selected files will be searched for a 'nk' record. Once found, the EnScript will try and validate it as a valid key, then bookmark it. It will also indicate if it is a deleted key as opposed to a valid "in use" key. It is common to find "in use" keys in unallocated and the pagefile as they are moved around and swapped out of memory, but that does not mean they are still "in-use".

The EnScript will create a bookmark folder with the timestamp of the current time that you ran the EnScript, along with the range you chose:

The comment field will have the date in a numerical UNIX format so you can accurately sort this column by date. After the date will be the name of the key found and then if it is deleted.

The EnScript will also print some basic info to the console tab:

Case 1\C\Unallocated Clusters
07/14/09 09:12:04AM    win32
07/14/09 09:12:04AM    FLAGS
07/14/09 09:12:04AM    HELPDIR
07/14/09 09:11:24AM    notepad.exe
07/14/09 09:11:24AM    command
09/12/09 06:24:08PM    OpenWithList
07/14/09 09:11:24AM    notepad.exe
Timestamp out of range, skipping....
07/14/09 09:11:24AM    .log
07/14/09 09:11:24AM    .scp
07/14/09 09:11:24AM    ShellNew
07/14/09 09:11:24AM    inifile
07/14/09 09:11:24AM    DefaultIcon
07/14/09 09:11:24AM    shell
07/14/09 09:11:24AM    open

Hits that are outside the range you specified will not be bookmarked and you will see "Timestamp out of range, skipping...." in the console when a record is skipped.

SafeBoot Info EnScript

An old colleague of mine, Brian Olson, contacted me and offerred to share an EnScript that he wrote. The EnScript was designed to help those of you who may have SafeBoot encryption deployed in your organization.

Here is a description of the EnScript directly from Brian:
The SafeBoot Management Console generally associates the key with the asset, we have encountered several situations where we could not easily locate the correct key to decrypt a SafeBoot encrypted drive. In some cases we found computers where the hard drive was swapped between assets by our internal helpdesk technicians, multiple decryption keys existed for the same asset, or even worse - keys were renamed.

I (Brian) wrote this EnScript to assist an Examiner with identifying the correct SafeBoot .SDB Database File (Decryption Key) based on meta data stored by SafeBoot to the hard drive. This EnScript will provide the Examiner with a brief report with enough information to locate the correct SafeBoot Database and Object information by searching for the Machine ID. From there, the .SDB key can be exported and used to decrypt the volume from within EnCase or using SafeBoot Vendor Tools.

Example Report:
SafeBoot Information
Physical Device: 0
SafeBoot Signature found in Device '0' Sector 1.
SafeBoot Encryption Information
SafeBoot Alg: 00000012
Database ID: 1234ABCD
Machine ID: 000012AB
SBFS Sector Map: 1668231
SBFS Sector Map Count: 23
SBFS KeyCheck: 123456ABCDEF
Region 1 Information
Region 1 - Start Sector: 63
Region 1 - End Sector: 156296385
Region 1 - Sector Count: 156296322
PowerFail Status
Status: Inactive

This EnScript is still in Beta, but has been mostly reliable in our environment. I (Brian) would appreciate any feedback from any other SafeBoot users regarding the accuracy of this EnScript in their environments.

Some Known Issues include:

  • Currently identifies only one “Region” (Encrypted Volume). Multiple Region Support is a planned feature.
  • Power Failure State still needs further testing and improvements. May still report Inactive...
  • ‘End Sector’ Region may be “0” on McAfee Enterprise Encrypted Disks.
Bugs or Comments can be reported to Brian at: dbrianolson (at)

Download Here

Friday, May 7, 2010

Guidance Software releases "WinAcq", a command line acquisition tool in EnCase v6.16

For those of you who read the "New Features" section in the help file, this may be old news, but the latest release of EnCase now has a command line acquisition tool called "WinAcq".

This tool is designed to run from the command line in the Windows Operating System  to acquire whatever physical or logical drive you specify. The utility can be run interactively, where it prompts for certain information before it executes the acquisition, or it can be run from the command line with all the options specified on the command line. Additionally, you can also create a config file that contains all the config settings that you want the utility to use. The latter two allow for batch or scripted operation, i.e. on a flash drive or bootable CD.

Luiz Rabelo posted a very good article on his blog about all the command line options and even did some videos. His page is in Portuguese but you can view it in English here with the help of Google.

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles