Thursday, February 24, 2011

Forensic Puzzle #6

A System Administrator contacts you (because you're the forensic geek/god) and asks for your assistance in looking at something. He then hands you a flash device with a single zip files that he explains was "handed off" to him by another admin. The file is named "Suspicious_File" and was reported by the user as being unrecognized and not sure where it came from. Eventually the user contacted desktop support staff, who eventually forwarded it to an administrator, who has now contacted you. Unfortunately, the user changed the original name and zipped it to send to the helpdesk, so the original name or path is unknown.

Analyze the file and if possible, determine its origin, purpose, function and any other information that might be useful to the administrator. To avoid posting the correct results and spoiling it for anyone else who may be trying to work through this problem, post the final hash value of any file you analyze in the comments and I will provide feedback from there.

You get three hints. It's not any of these:
511516F439BC569D57C2853F49A192BA
DA983DD82AA924EB5BFE407F249AC9B6
63017bb2a213fa440191b204929ab0f7

Monday, February 21, 2011

EnCase EnScript to export MFT slack

During a recent EnScript training class, a student asked about how to programmatically export MFT slack, that is, the data that may exist between the end of a logical MFT record and the end of the physical MFT record. A typical MFT record can be anywhere between 400 to 700 bytes in length, but the MFT allocates 1024 bytes for each record. This can cause data to be left from previous records, the same way data remains in file slack at the end of a cluster.

I wrote this EnScript during the class to demonstrate some of the fundamental programming principles and decided I would post it in case someone has a need for it.

This EnScript will process every MFT found in the case. The EnScript only exports data in the MFT record slack area with an ASCII value between 0x20 (space)  and  0x7E (tilde). A folder is created in the case default export folder named "MFT Slack" and a file with a record number is created for every MFT record that contains slack. The reason this method was used, was so if you review the exported data and find something of interest, you can quickly map it back to the exact MFT record where it came from. If a MFT record has no data in slack, then no export file is created for that record.

Download here

Wednesday, February 9, 2011

*UPDATED* Custom FILETIME DateClass EnScript library to display millisecond granularity

This is an update to a post a few days ago, Brian has emailed me an updated library with some bug fixes, new options, updated documentation and some other modifications.

This is current as of February 10, 2011.

Download the new DateClass library here.

Sunday, February 6, 2011

Custom FILETIME DateClass to display millisecond granularity

A few months ago, I had the pleasure to go and teach two classes in Australia. During that visit, I met a very talented examiner named Brian Jones who had been learning the EnScript programming language for awhile, but had already excelled and created some great EnScripts and came up with some great ideas on using the power of EnScript.

Brian recently emailed me to comment on the recent post I made about the Windows FILETIME and the ability to see when a file's time stamp may have been manipulated. Brian shared a library that he wrote that displays an entries timestamp in millisecond granularity as well as displays the time stamps that's in the filename attribute, which are not shown by default by most forensic tools. Looking at the timestamps in the filename attribute and comparing them with what is recorded in the standard information attribute can provide lots of clues as to what has happened to that particular object (file or folder).

Brian has agreed to share his library with anyone else who is interested and I have to say he has done an excellent job. His documentation is superb! If you play around with EnScript, I highly suggest you load this library up and test it out. Even if you dont know how to program, there are simple examples in the documentation that you could try with very little effort.

The link to download the library is here.

Great Thanks to Brian Jones. If you have questions, comments or just want to say thanks, please email him at jone2bri (at) gmail (dot) com.

Here is his documentation and explanation of what the library does.



SEEBDateClass





SEEBDateClass encapsulates a date-time value. This class
represents time to a precision of seconds.

The time zone bias is set to the system's time zone bias. The GetString() method adjusts time with the bias before returning the string.


SEEBDateClass Enumeration OffsetOptions  [Top]

Name

Value

Description

NOBIAS

0

Controls the offset
values of the GetString() method(s)



NOBIAS – No Bias (UTC 0.00)

DSTADJ - Adjust time for DST.
LOCAL –
Time Zone set to examiner machine.

DSTADJ

1






LOCAL


2







SEEBDateClass Enumeration ShowOptions  [Top]

Name

Value

Description

LONGDATE

0

Controls the
output of the GetString() method(s)



LONGDATE -  02/09/2009 16:44:21

TEXTDATE -  Wednesday, 2
September 2009, 16:44:21.
SORTDATE –
02/09/09 16:44:21.

TEXTDATE

1






SHORTDATE


2





SEEBDateClass Enumeration EntryDateOptions  [Top]

Name

Value

Description

CREATED

80

Controls the
output of the EntryDate(entry, date_offset)
method. Returns the date of entry created etc. FNA = “File Name Attribute”
Time/date stamps – not shown in windows / EnCase.

CREATED –
entry created date.
WRITTEN –
entry last written.








WRITTEN

88






MFTMODIFIED


96






ACCESSED

114

MFTMODIFIED
– entries mft entry modified.
ACCESSED –
entry last accessed

FNACREATED,
FNAWRITTEN, FNAMFTMODIFIED, FNAACCESSED –
File Name
Attribute time/ date value – possible indicators of when file actually
created written on specific partition / system.






FNACREATED

184













FNAWRITTEN


192

FNAMFTMODIFIEDCREATED

200

FNAACCESSED

208







SEEBDateClass Enumeration AccuracyOptions  [Top]

Name

Value

Description

MINUTE

0

Controls the
accuracy of the Compare Functions(s)






SECOND

1






MILLISECOND


2





SEEBDateClass Methods  [Top]


Name

Return Type

Declaration

Description



SEEBDateClass


SEEBDateClass ()

Construct
default SEEBDate value. Year = 1601, month = 1, day
= 1, hour = 0,  minute = 0, second
= 0,
Millisecond = 0.



SEEBDateClass


SEEBDateClass (ulong value)

Construct SEEBDate value from 64 bit time / date stamp.



SEEBDateClass


SEEBDateClass (SEEBDateClass date)

Copy
Constructor.



SEEBDateClass


SEEBDateClass (uint day , uint month, uint yr, uint hr, uint min, uint sec, uint ms = 0)

Construct SEEBDate value from individual values. i.e. day, month,
year etc



SEEBDateClass


SEEBDateClass (DateClass date)

Construct SEEBDate value from EnCase Date
Class.



GetString


Const GetString(EntryClass entry
= null, uint offset_options
= SEEBDateClass::DSTADJbool display_bias
= true, uint show_options
= SEEBDateClass::LONGDATE, bool
hour24 = true , bool display_ms
= false)

Converts the
date to the string format.
Arguments:
Entry – EntryClass object or null.
Offset_optionsOffsetOptions
Enum value.
Display_bias – display the bias i.e.
UTC(+10.00).
Show_optionsShowOptions
Enum value.
Hour24 –
24 hour time or not (12 hr)
Display_ms – display milliseconds or not.

Time zone settings obtained  from the volume the entry is on
– otherwise UTC( 0.00)
Get String() = all default values.



GetString


const GetString (int bias_value, bool display_bias = true, uint show_options
= SEEBDateClass::LONGDATE, bool
hour24 = true, bool display_ms
= false)

Converts the
date to the string format using specified bias.
Arguments:
Bias_value – bias entered manually. i.e -10
Display_bias – display the bias.
Show_optionsShowOptions
Enum value.
Hour24 –
24 hour time or not (12 hr)
Display_ms – display milliseconds or not.





EnCaseString


String

static EnCaseString(EntryClass
entry, uint offset_options
= SEEBDateClass::DSTADJbool display_bias
= true, uint show_options
= SEEBDateClass::LONGDATE, bool
hour24 = true , bool display_ms
= false)

Converts the
date to the string format using the EnCase “Modify
time zone settings” to set the timezone for each
volume.
Arguments:
Entry – EntryClass object.
Offset_optionsOffsetOptions
Enum value.
Display_bias – display the bias.
Show_optionsShowOptions
Enum value.
Hour24 –
24 hour time or not (12 hr)
Display_ms – display milliseconds or not.




GetTimeZoneBias

int

static GetTimeZoneBias
()

Returns the
local time zone offset in seconds



Year

int

const Year ()

Year value in 4
digit format (1601..2038)




Month

uint

const Month ()

Month value
(1..12)



Day

uint

const Day()

Day value (
1...31 )



Hour

uint

const Hour ()

Hour value
(0..23)



Minute

uint

const Minute ()

Minute value (0..59)



Second

uint

const Second ()

Second value
(0..59)



Millisecond

uint

const Millisecond()

Millisecond
value (0…999)



Ticks

long

const Ticks()

Total number of
ticks



DayOfWeek

uint

const DayOfWeek()

Day of week
value ( 0=Sunday…6)



DayOfWeekString

String

const DayOfWeekString()

Day of week as
string.



MonthString

String

const MonthString()

Month value as
string (January…December)



TotalSeconds

ulong

const TotalSeconds()

Total seconds
from 1/1/1601



EqualTo

bool

 EqualTo (SEEBDateClass value)

Returns true if
== value.



LessThan

bool

LessThan (SEEBDateClass value)

Returns true
if  < value



GreaterThan

bool

GreaterThan(SEEBDateClass value)

Returns true if
> value.



IsLeapYear

bool

static IsLeapYear (uint year)

Returns true if
year is a leap year.



InRange

bool

static InRange (SEEBDateClass Value, SEEBDateClass
min, SEEBDateClass
max, , uint
accuracy_options = SEEBDateClass::SECOND)

Value must be
between min and max, inclusive with accuracy = SECOND or MILLISECOND only..



IsValid

bool

const IsValid ()

Returns true if
the value is valid date.


EntryDate

SEEBDateClass

EntryDate(EntryClass
entry, uint entrydate_options
= SEEBDateClass::CREATED)

Converts the entry
date to SEEBDateClass.
Arguments:
Entry – EntryClass object to obtain dates from mft directly.
Entrydate_optionsEntryDateOptions
Enum..


Null

void

Null()

Allows creation
of null date. 0/0/0 00:00:00.


GetBias

double

static GetBias(EntryClass
entry = null)

Returns entries
bias value.
If null
entry  - function returns default
time zone setting if only one timezone -  or 0..


DstOffset

int

static DstOffset(EntryClass
entry = null)

Returns the
entries DST offset..


ReadWinDate

bool

ReadWinDate (FileClass file)

Construct SEEBDate value from 64 bit time / date stamp.
Arguments:
file – FileClass object.



ReadUnixDate

bool

ReadUnixDate (FileClass file)

Construct SEEBDate value from 32 bit (C / Unix) time / date stamp.
Arguments:
file – FileClass object.



UnixDate

double

UnixDate(ulong value)

Construct SEEBDate value from 32 bit (C / Unix) time / date stamp.
Arguments:
value


DateToMilliseconds

ulong

static DateToMilliseconds(SEEBDateClass date)

Covert a SEEBDate into total milliseconds for comparisons.


Now

void

Now ()

Sets the value
to the current system date and time


Set


void

Set(uint day , uint month, uint yr, uint hr, uint min, uint sec, uint ms = 0)

Sets the date
directly.


Compare

int

Compare (const SEEBDateClass &Value, uint accuracy_options = SEEBDateClass::SECOND)

Returns < 0
if value is lexically less than, 0 if equal, > 0 if greater.
Arguments:
Value – SEEBDateClass object.
Accuracy_optionsaccuracy_options
enum value i.e. second, minute, millisecond..


TimeSpanString

String

static TimeSpanString (SEEBDateClass
date1, SEEBDateClass date2)

The time span
between two dates in days + hours + minutes + seconds.


TimeSpan

ulong

static TimeSpan (SEEBDateClass date1, SEEBDateClass date2)

The time span
between two dates in  seconds



/*

Example - Prints todays date and time

*/

class MainClass {

  void Main() {

    SEEBDateClass date();

    date.Now();

    Console.WriteLine("Today's date is " + date.DayOfWeekString() + " " +

                       date.MonthString() + " " + date.Day() + ", " + date.Year());

    Console.WriteLine("Current Time In Los Angeles:" + date.GetString(-8));

    Console.WriteLine("Current Time In New York:" + date.GetString(-5));

    Console.WriteLine("Current Time In Moscow:" + date.GetString(3));

    Console.WriteLine("Current System Time:" + date.Now());

  }

}

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles