Wednesday, January 29, 2014

EnCase EnScript (v6 & v7) to parse Skype chatsync files for IP addresses (internal & external) of each user

Most people are aware of the SQLite databases that Skype uses and the information they contain. Another common file associated with a Skype chat is the 'chatsync' file. This file is a proprietary format and it contains some very useful information, such as the user names of the people in the chat (even group chats).

In addition to the usernames of each user, each user's local (LAN) and external (WAN) IP addresses are often recorded in this file. This information can be very useful in helping identify or locating a particular user during a specific time. A chatsync file is generally created for each shat "session'.

The beginning of a chatsync file will appear like this:

You can select (blue check) any/all chatsync files in EnCase v6 or 'tag" them with 'chatsync in EnCase v7 and run the below linked EnScript. This EnScript will parse out the IP addresses and write them to the console as well as bookmark the artifacts.

Download Encase EnScript (v6 & v7) here

Tuesday, January 21, 2014

Quick EnCase v6 & v7 EnScript to find files that have been encrypted by Cryptolocker

Many companies and individuals are struggling with the cryptolocker malware that has been making its rounds the past few months. Some have opted to pay, some have taken the loss and reverted to backups (remember those?) , while others have tried to do some data recovery.

I wanted a way to quickly identify the files that have been encrypted by the malware. Finding files on a single host is not such a big deal, but when you have files that are scattered throughout a network share and a host that has access to that share has been infected, things can get very ugly very quick.

One of the first things any enterprise would need to do is identify the files that have been affected. Luckily enough, the authors of the malware provide a mechanism to see a list of files that were encrypted by clicking the "here" link on the ransom message:

The only downside to this approach is that when you suddenly find files on a network share that won't open and appear corrupted (because they wont open and look like random garbage inside) and employees do not realize that someone's host was infected and reached out and encrypted a bunch of files on the network share(s). Now comes the task of identifying all those files so you can quickly get them back from a previous backup (yeah, right).

Files that are encrypted with Cryptolocker are encrypted with AES256 and then the key used to encrypt that file is wrapped in a RSA public key. When a file is encrypted, the RSA blob (that has the encrypted AES key) and a hash of the blob are appended to the beginning of the file.

Therefore, this EnScript quickly looks at every file (regardless of extension) and checks for this unique 'header'. If found, it will bookmark those files for easy identification.

Download here EnCase EnScript v6 & v7 

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles