Thanks for stopping by this year. I hope I have helped some of you out with the programs/information I have provided. As always I wish I had posted more but things always seem to get in the way. I will be planning on posting more next year. If you can think of any topics or programs that would be nice to see/have then shoot me an email and we can discuss them mark dot mckinnon at sbcglobal dot net.
I hope everyone has a safe and happy new year.
Mark
Wednesday, December 31, 2008
Happy New Year
Updates Before the New Year
Here are a few updates to some of the programs I have provided this year.
Skype Log Parser:
This program will now parse the voicemail logs and report on them. It will also extract some more information about the users. The avatars will also be parsed out and saved to the report directory as well. The program can be found here. I also want to thank the University of New Orleans (Team NSSAL) for using this program in the DC3 Challenge this year, I created the program for my use in the challenge but when I got bogged down with other things I thought I would release it in hopes that someone would use it for the challenge.
Thumbnail_Html:
I do not recall if I ever released this or not but what what it will do is parse a directory and create a web page with thumbnails of graphics files in it. This program is good if you need to create a file that has graphics that you want to send to someone and be able to put it on a CD/DVD. This program will also read some of the EXIF info for the graphics and output that information as well. The program can be found here.
Internet Parser:
This is the updated google chrome parser with a few more reports and I have also added the option to include Firefox history files as well. With this program if someone had both Firefox and Google Chrome you can add both of there history files to the same database and do 1 reports instead of multiple reports. This program can be found here.
Internet History:
This program reads in the Internet Explorer index.dat, the cookie index.dat and the History index.dat files and will produce reports on them. The reports should be similar to the internet parser program. That program can be found here.
I hope you enjoy all these updated and new programs and that you get quite a bit of use out of them.
As always Questions/Comments/Suggestions/Thoughts?
Wednesday, October 29, 2008
Happy Birthday Ovie..........
Within the next few days it will be Ovie Carroll's Birthday. So that everyone can wish him a happy birthday I have set up a special e-mail account that will forward to him all your birthday wishes if you would like to send him a wish. The email address is happy_birthday_ovie@redwolfcomputerforensics.com. I will leave this up for about 1 1/2 weeks so everyone can wish Ovie a happy birthday.
I wont tell you how old he is but here are some general statistics from that time period.
World Population: 3.276 billion
US Population: 191,888,791
Life expectancy: 70.2 years
Violent Crime Rate (per 1,000): 23.9
Property Crime Rate (per 1,000): 22.0
Homicide Rate (per 100,000): 5.1
US GDP (1998 dollars): $663 billion
Federal spending: $118.53 billion
Federal debt: $316.1 billion
Consumer Price Index: 31
Unemployment: 5.7%
Cost of a first-class stamp: $0.05
Cost of a new home: $20,500.00
Cost of a new car: $
Cost of a first-class stamp: $0.05
Cost of a gallon of regular gas: $0.30
Cost of a dozen eggs: $0.54
Cost of a gallon of Milk: $0.95
Once again that email address is happy_birthday_ovie@RedWolfComputerForensics.com
Happy Birthday Ovie!
Sunday, October 5, 2008
Drive Prophet for Windows Beta Ends......
I want to thank everyone who beta tested Drive Prophet for Windows. I have concluded the beta and made any necessary fixes. I have posted a demo version of the program and it can be downloaded here. There will be 2 versions of Drive Prophet the Standard and Professional. You can go to the following site and see what the differences are. Drive Prophet Web Site. I will offer a discount for the next 30 days to any blog reader or beta tester. If there are any questions you can shoot me an email at prophet at redwolfcomputerforensics dot com or mark dot mckinnon at redwolfcomputerforensics dot com.
Once again a big thank you to everyone who tried it out and to those who provided feedback, your help was very valuable.
Tuesday, September 30, 2008
Skype Log Parser Update.......
Wow in the last 20 days this program has been downloaded over 290 times. I have received a few calls/email's about it and I thought I would update the program. There is still more to do with it but I thought I would post this update to it. The program can be downloaded here
What I have updated is to add parsing of the SMS records. This will parse the sms256.dbb, sms512.dbb and sms1024.dbb. I did not have a sms16384.dbb so that file will not be parsed. The report that will be outputted is the Messages that was sent and the phone number that it was sent to. I have yet to figure out where the date is stored so that is not included at this time. This is something I will be working on.
I have also added a timeline of all the transactions. This is similar to the "History" tab on the Skype program.
I am also planning on updating this program some more in the new future, add reports, parse voicemail, figure out the date/time for SMS messages, and other things. If you think something else should be added to it please shoot me an email, you can find my email somewhere on the blog or just leave a comment.
Thoughts/Comments/Questions?
Wednesday, September 24, 2008
Google Chrome stores plain text passwords….sort of.
My interest was of course piqued when Google announced they would be entering the browser realm, with Chrome. One of the things that has always interested me is the way different programs store passwords. While we are still working on decrypting the Chrome passwords from an imaged drive, I did make an interesting discovery about Chrome storing plain text passwords. Chrome is reliant on several files under the following paths
(dependent on OS):
XP:
Documents and Settings/User/Local Settings/Application Data/Google/Chrome/
Vista:
Users/App Data/Local/Google/Chrome/
As it turns out, if you visit a site that does not require you to log in via https or any variety of other secure methods, Chrome will create a cookie, which can be found in the file “Current Session” under Chrome/User Data/Default. Within that file will be a plain text cookie with your login name and password. If the site requires https, you can still view the log in, but the password is encrypted. However, there is one neat twist to this. If you log in with an incorrect password, even from an https site, the password is still saved in plain text. Using this information, you may be able to make an educated guess on what the actual password was. You can open the file with any text viewing program, or a Hex editor program.
This password recovery method unfortunately only works if, during the last instance of the browser being opened, the person typed in their password when prompted at a site that does not use a secure method to log-in. I also created a slide show presentation, which is can be found here, detailing the steps and data that can be viewed within Chrome.
As always Thoughts/Comments/Questions?
Wednesday, September 10, 2008
Drive Prophet for Windows **Beta**
Well it is finally going mainstream public, the Drive Prophet for Windows Beta. Now if you have not heard anything about this then it may be new to you. If you listen to either cyberspeak podcast (July 19 Podcast 10:40 into the podcast) or Forensic 4Cast podcast (Episode 8) then you would have heard it mentioned. Here is a quick overview.
So what is Drive Prophet? Drive Prophet is a Triage tool to give you a quick look at what can be found on the drive. It runs against a write blocked drive or DD image that has been mounted to your computer. If you go the DD image route then you can use any software to mount the image (VMWare Mount, Mount Image Pro, Encase, Etc...). Now this does not mean that this is going to avoid a full forensic exam, it should not but it will give you a jumping off point into that exam and hopefully start to steer you in the right direction. My vision for this was a tool to help examiners either in the field or back in the lab get a quick look at a drive and be able to act on that information (ie: question a suspect or start an exam).
Now After the drive is mounted you can then start Drive Prophet and process the drive. Once the drive has been processed then you will be presented with many reports that you can then go thru, here is a listing of the possible reports they.
LIST OF ALL USERS ON THE SYSTEM
LIST OF THE PROGRAMS BASED ON THE "PROGRAM FILES" DIRECTORY
UNIQUE LIST OF USB DEVICES THAT HAVE BEEN ATTACHED TO THE SYSTEM
LAST PROGRAMS THAT HAVE BEEN RUN AND THE NUMBER OF TIME RUN
ALL THE DIRECTORIES THAT CONTAIN JPG FILES
LIST OF DOMAINS THAT HAVE BEEN VISITED BY USER AND THE NUMBER OF VISITS
SOFTWARE INSTALLED ACCORDING TO THE REGISTRY
RECENTLY ACCESSED FILES FROM RECENT FOLDERS
FILES ON THE DESKTOP
FAVORITES DIRECTORY
URLS THAT HAVE BEEN TYPED IN INTERNET EXPLORER
MS MEDIA PLAYER: RECENT FILE LIST
MS MEDIA PLAYER: LAST OPENED PLAYLIST
COMPUTER OWNER INFORMATION
VIDEO FILES THAT WERE OPENED WITH WINDOWS MEDIA PLAYER
MS MEDIA PLAYER: RECENT OPEN DIRECTORY
LIST OF DOMAINS THAT HAVE BEEN VISITED BY USER ORDERED BY THERE LAST ACCESS TIME
INTERNET SEARCHES
PROGRAMS THAT WILL RUN ON SYSTEM STARTUP ACCORDING TO THE REGISTRY
LIST OF ALL THE PROGRAMS THAT HAVE BEEN RUN THAT WERE NOT FOUND ON THE HARD DRIVE
SCHEDULED TASKS DEFINED ON THE SYSTEM
LIST LAST SERACH TERMS FROM THE SEARCH ASSISTANT
LIST ADOBE ACROBAT READER MOST RECENTLY ACCESED FILED
LIST ALL MOUNT POINTS ON THE SYSTEM
LIST STARTUP AND SHUTDOWN TIMES ACCORDING TO THE EVENT LOGS
LAST PROGRAMS THAT HAVE BEEN RUN AND NUMBER OF TIMES RUN - TECHNICAL
LIST PROGRAMS THAT HAVE RUN WITH THE MICROSOFT MANAGEMENT CONSOLE
PROGRAMS THAT HAVE RUN ON THE SYSTEM AT SOME POINT IN TIME
APPLICATIONS TO LOOK FOR
PROGRAMS THAT HAVE BEEN RUN/EXECUTED FROM USERS TEMP DIRECTORY
IP ADDRESSES ASSIGNED TO COMPUTER
NUMBER OF TIMES COMPUTER NORMALLY SHUTDOWN
LIST ALL DOC FILES
LIST ALL XLS FILES
LIST ALL PDF FILES
LIST ALL LNK FILES
INFORMATION ABOUT VIRTUAL MACHINES ON SYSTEM
Now if you do not see a report that you would like then more reports can be added. There are a few options that you can do as well after the drive has been processed, these are not included in the processing of the drive as they may take a long time to process themselves. The other options are
1.“Parse/Report EXIF Information” which will scan all the JPG files on the system and report back which JPG files have EXIF information and display this information along with the graphic.
2.“Run Time Line Report” will ask for a begin date and end date (end date is optional and if not supplied will take the current date as end date) and will produce 4 reports.
1.Report of all files that were Created that are between the 2 dates supplied.
2.Report of all files that were Modified that are between the 2 dates supplied.
3.Report of all files that were Last Accessed that are between the 2 dates supplied.
4.Report of all files that have a Created, Modified, Last Accessed date/time between the 2 dates supplied.
3.“Run Picture Thumbnail Report” will generate a report of all jpg's, png's, bmp's that were found on the drive. There is an option to copy those files to the reporting directory so that you can then be available for your report.
4.“Run Vista Thumbcache Report” will generate a report of all jpg's, png's, bmp's that were in the vista thumbcache files. These files will be copied to the reporting directory so that they can then be available for your report.
Now if after all this you still do not see certain things then let me know and they can be added to the list of future enhancements. The Drive Prophet Forum can be found here where you can request future report enhancements and other enhancements, report bugs, etc...
One other feature is a program called Back Log Breaker. This program was designed to allow the user to "Batch" up runs of Drive Prophet and process them all at once. This could allow agencies that do have a backlog to try and cut thru them.
Now if this is something that interests you then send an email to prophet-beta at RedWolfComputerForensics dot com with your name, agency/company and contact info. This program will be available to all, it is not restricted to anyone. I will then reply with a email telling you how to download the Beta. You can also download the install guide and quick start guide as well.
Tuesday, September 9, 2008
Interview On Forensic 4cast
The guys on Forensic 4Cast (Lee and Simon Whitfield) were kind enough to ask me on the show and let me talk about a few things I have been working on. Two of the projects I have just blogged about a few minutes ago. The other project will be my next topic and I will be putting that out within the next day. The interview can be found here.
Skype Log Parser
At the DC3 Challenge there is a challenge that deals with parsing the log files created by Skype. Well I went searching on the Internet for programs that would deal with getting me information from these logs and every program I found only dealt with the Chat sessions. Now Looking at my own logs I could tell there was more to it then that. I was very disappointed that the programs I looked at did not look at these other log files. I thought to myself am I the only one seeing that an examiner is potentially missing some important data (Phone log, transferred files, etc..). Well I could not let this opportunity get passed by so I created a program that will parse out these log files and produce some reports. The program can be downloaded here.
Now if anyone uses this program for the DC3 Challenge please let me know, I am always curious if the programs I publish ever get used.
As always send all comments/questions/suggestions good or bad to the comment section below or you can email me at mark dot mckinnon at sbcglobal dot net.
Google Chrome Log Parser
Google Chrome has been out for about a week and here is my first attempt to create a program that will parse out all the chrome logs and put together some useful reports. The program can be found here.
Just like Firefox, Chrome also stores their logs into a SQLite database. Some of these logs are very similar to the Firefox logs. One thing to note is that Chrome is not very consistent with which format they use for date/time. In some logs they use Unix Epoch time (Jan 1 1970) and in others they use Microsoft Epoch time (Jan 1 1601). Chrome also stores a thumbnail of web pages in these logs as well. These thumbnails are used when you fist start chrome to show you 9 pages you have visited. With the above log parser it will pull these thumbnails out and present them in the reports as well.
As I stated above this program is a work in progress and there is still more research to be done to make it a better. I just wanted to get it out to all you guys to start to play with it.
As always Questions/Comments/Suggestions.
Thursday, July 3, 2008
Thumbcache Version 2
If anyone has been to one of Ovie Carroll's recent presentations on Vista you will probably have heard mention of this program. It was also mentioned during my interview on cyperspeak. This is a rewrite to the program that was written for this blog entry. This program will read either a directory where the thumbcache_*.db files are or the individual thumbcache files, if you happen to pull the thumbcache_*.db files out make sure you include the thumbcache_idx.db file, this will add a date/timestamp to the reports for each picture extracted. This program will not only read the thumbcache and export the files but it will also create a nice/professional report to pass along to someone. You can also copy the whole directory and burn it to a CD and the reports will still display everything correctly.
The program an be found here . This program is a little different as I have started playing with the NSIS installer. The installer will ask you to input your name, agency name and a location for your organization's logo. This information is used for the reports to give that professional look. If you do not fill the information in then they will be a few blank spots on the reports.
As Always Questions/Comments/Suggestions/Etc....
Friday, June 20, 2008
Montreal Area Blog Readers
I will be in Montreal from July 6 thru July 10th. If anyone wants to get together for dinner one evening then let me know. You can contact me at mark dot mckinnon at sbcglobal dot net and we can set something up.
Wednesday, June 18, 2008
What Does This Tell You - The Answer
And the answer is ......... a program called "Advanced Registry Fix" was run on the system. I saw this program advertised in Bits Du Jour which I blogged about here. There is a free download for the program so I thought I would download it and try it out seeing what it actually did to the regstry.
One of the things I found is that to "Clean" up the registry what it does for the MRUList is to see if the files still exist on the system. If they do not then it removes the file name from the MRUList (a and b were removed), the thing is that it does not remove the entry from the MRUList for that item so that is why Harlans RegRipper displayed 2 blank lines, it expected entries there becuase the MRUList said there were suppose to be entries there, I was not sure how RegRipper would handle this when I first saw what Advanced Registry Fix did, and was happy to see how it handled it (great job Harlan).
Here is the before image of the registry
a REG_SZ F:\methodology_form_blank.pdf
b REG_SZ F:\report_blank.pdf
c REG_SZ C:\Mark\dc3_challenge\methodology_form_blank.pdf
d REG_SZ C:\Mark\dc3_challenge\report_blank.pdf
MRUList REG_SZ cdba
Where the F:\ drive was a usb thumb drive.
Here is the after image of the registry after running "Advanced Registry Fix"
c REG_SZ C:\Mark\dc3_challenge\methodology_form_blank.pdf
d REG_SZ C:\Mark\dc3_challenge\report_blank.pdf
MRUList REG_SZ cdba
Another thing I did find out is that once you open a program that will write to the MRUList it will correct everything (MRUList will have the non existant entries removed).
This just goes to show you how a $10 (price on Bits du Jour) to $20 (retail price) piece of software can really throw you for a loop and get you thinking that someone was deliberatly trying to hide something when they were not, they were just trying to keep their system running in an optimal state by using valid system maintenance software.
Thoughts/Questions/Comments????
Friday, June 13, 2008
What does this tell you
I have been doing some testing with Harlan Carvey's RegRipper which is a pretty cool tool and I ran accross this entry after running it against my ntuser.dat file.
ComDlg32\OpenSaveMRU
**All values printed in MRUList order.
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
LastWrite Time Wed Jun 11 18:48:27 2008 (UTC)
..
..
Subkey: pdf
LastWrite Time Fri Jun 13 12:41:16 2008 (UTC)
MRUList = cdba
c -> C:\Mark\dc3_challenge\methodology_form_blank.pdf
d -> C:\Mark\dc3_challenge\report_blank.pdf
b ->
a ->
..
..
I cut out the stuff before and after the pdf subkey. Now after looking at this what do you think it is telling you. Is this some kind of Anti Forensics tool that was run. Why are there entries missing. I will hold of the answer until next week to see if someone wants to throw an answer out there.
Questions/Comments/Thoughts?
Thursday, June 12, 2008
What's in your Ipod........
Ok so I stole the title and tweaked it a little. The question of the day is what type of music do you listen to when you are doing forensic work. Are you like Hugh Jackman in SwordFish jamming out as your fingers fly accross the keyboard? Besides the big name individuals or groups ( I like Bob Seger, Tom Petty, The Eagles, 3 Doors Down, John Melloncamp and many more) have you found some local musical group that you like to listen to when you need to do some heads down forensic work. Now are you willing to share that with the rest of us? I will go first, the Four Lincolns out of Grand Rapids Michigan, you can check out their myspace page and listen to there tunes. So who else is willing to share there favorite local band/musician or other big name group with the rest of us and add some more music selections to our ipods?
Bits du Jour
Over on the Bits du Jour website you can find daily deals on software you may never have heard of. You can subscribe to there daily deals and get an email every day. This is an excellent way to stay current on software that is low cost and something you may come across in your travels
For example I have seen wiping programs, partition managers, photo hiding and spying software being sold on this site. All the software offers a free demo as well as being low cost. Another excellent way to acquire software to evaluate and research.
This is just one more way to keep you informed of what may be out there.
Questions/Comments/Thoughts?
Professional Investigator License in Michigan
This is another example of how the government in the state of Michigan is trying to screw with it's residents. They have already done enough harm to this state I am not sure why they wanted to do more. I will only hit on a few things here. If you want to read the whole thing you can find it here
Now according to the new law it takes effect immediately. Now what does this do to your current case load. Do you go and find a PI that will allow you to go under there license? If you want to still practice you will. There is a lead time of aprox 12 weeks in order to get thru the process. The funny thing is as of yesterday they do not have the new application to use to apply for the license. Now how can a law go into effect and there be no lead time in order to get your affairs together? Brilliant thinking on the Legislature's part
Now for those that do happen to read this bill here is the intro to it:
"An act to license and regulate professional investigators; to provide for certain powers and duties for certain state agencies and local officials; to provide for the imposition for certain fees; to protect the general public against unauthorized,
unlicensed and unethical operations by professional investigators; to provide for immunity for certain persons under certain circumstances; to provide for penalties and remedies; and to repeal acts and parts of acts."
Now reading the law they have there standard requirements about age, felonies but here is where it gets interesting:
"A graduate of an accredited institution of higher education with a baccalaureate or postgraduate degree in the field of police administration, security management, investigation, law, criminal justice, or computer forensics or other computer forensic industry certificated study that is acceptable to the department."
Now I can have a degree in Police Administration, investigation or Criminal Justice and practice forensics? Yep that is what it says. So do I really need to know anything about computer forensics to practice if I have a 4 year degree in CJ? I can easily go purchase any of the packages and hang my shingle out and state I practice Computer Forensics. So that being said I do not see where this has helped out the general public except to put decent forensic examiners out of work until they can get there license, which without the proper applications being made available may take some time if they even get them out there.
Now do not get me wrong I think regulation is fine, as an industry we probably should be regulated but not with laws like this. But in true State of Michigan fashion lets do a crappy job and not think things thru. For being a full time Legislature you would think they would do a better job.
Living and practicing in the State of Michigan I am waiting for the proper applications to be made available so I can apply. We will see how it goes. I hope I meet their criteria to be able to practice Computer Forensics.
Questions/Comments/Thoughts??
Sunday, May 18, 2008
Forensic 4Cast - A New PodCast
Well these is a new forensic podcast on the block. It is called Forensic 4Cast and can be found here. I just listened to it and it is pretty good especially being their first podcast. Lee and Simon are the hosts for the show and they are Forensic Investigators/Analysts in the UK. They discuss Cofee, the UK Extreme Porn Bill and the Computer Misuse act. If you want to email the guys there email address is 4cast at whitfields.org.
Lee and Simon keep up the good work
Questions/Comments/Suggestions
Saturday, March 22, 2008
CSC Parser Version 2.0
As there have been over 490 downloads of this program and I have helped numerous people recover there Offline Folder/CSC directory I thought I update the software. You can find version 2.0 here. It has changed in that it uses drop down menus now instead of buttons. When you try and recover files you have 2 choices using the 00000002 or the csc1.tmp file. Both options will now copy the files that can be recovered to a directory of your choosing. Remember that you must have a good copy of the 00000002 or the csc1.tmp file. To run the program just unzip into a directory and run the program csc_parser.exe. I have removed the source code this time but this program is still free for personal use, for commercial use please contact me about using this program.
Now for those users who have reinitialized there offline folder/csc then I also have a program that might work for you as it scans the CSC folder and trys and rebuilds what was there. This is the professional version of the csc_parser. This program can be purchased for $50.00 (button is on the side of the blog). This program will also have the above functionality in it as well.
I have also added a Donate button on the side of the blog. If this program helps you out and you would like to donate that would be great, you are under no obligation to donate if you do not want to. If you do decide to donate and you donate 27.00 then I will also send you a complimentary copy of the CSC_Parser_Pro program.
Questions/Thoughts/Comments?
Wednesday, February 27, 2008
Prefetch Information
Here is a quick and dirty program to parse a prefetch file and output some important information. It is only a command line program currently and does not use a database or scan the prefetch directory (I know I am slacking and that would be some good improvements to make and pretty easy). What it will do is parse the prefetch file giving you the standard information that other programs have given ie: embedded date, number of time run and executable name plus a list of directories and files that are/have been loaded. The program can be found here.
To run the program just type
prefetch_info.exe < directory/prefetch file name >.
Here is an example of the output for the following prefetch file AID4MAIL.EXE-1EE932F2.pf. Now one thing to note is where the AID4MAIL.EXE program was run from, kinda cool to see it did not run from the hard drive of my laptop but a usb thumb drive.
You can also see what song I was listening to when I ran the AID4MAIL program as well (you can search for that one).
As always Questions/Comments/Thoughts?
File Name that was run AID4MAIL.EXE
Date/Time prefetch file was created Thu Feb 28 02:16:21 2008
Date/Time prefetch file was modified Thu Feb 28 02:16:21 2008
Date/Time prefetch file was last accessed Thu Feb 28 02:16:21 2008
File AID4MAIL.EXE was run 1 times
AID4MAIL.EXE Embeded date/time is Thu Feb 28 02:16:11 2008
List of files and Directories whose pages are to be loaded
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTDLL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNEL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\UNICODE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\LOCALE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SORTTBLS.NLS
\DEVICE\HARDDISK3\DP(1)0-0+8\AID4MAIL\AID4MAIL.EXE
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USER32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\GDI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IMM32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ADVAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RPCRT4.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\LPK.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USP10.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSVCRT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CTYPE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\AMINIT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SORTKEY.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\TEMP\AEXAM\AEXFD.TMP
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\OLEAUT32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\OLE32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MPR.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\VERSION.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_659
5B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\COMCTL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SHLWAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINDOWSSHELL.MANIFEST
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINSPOOL.DRV
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SHELL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\COMDLG32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINMM.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ENTAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\PSAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETAPI32.DLL
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NETWOR
K ASSOCIATES\BOPDATA\_DATE-20080227_TIME-171047859_ENTERCEPTEXCEPTIONS.DAT
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NETWOR
K ASSOCIATES\BOPDATA\_DATE-20080227_TIME-171047859_ENTERCEPTRULES.DAT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\UXTHEME.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSCTFIME.IME
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RPCSS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WDMAUD.DRV
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SETUPAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINTRUST.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CRYPT32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSASN1.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IMAGEHLP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSACM32.DRV
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSACM32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MIDIMAP.DLL
\DEVICE\HARDDISKVOLUME2\$MFT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\APPHELP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CLBCATQ.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\COMRES.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\REGISTRATION\R000000000013.CLB
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\TORTOISESVN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WININET.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\LIBAPR_TSVN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2_32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2HELP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSWSOCK.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8
.0.50727.762_X-WW_6B128700\MSVCR80.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\LIBAPRUTIL_TSVN.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\LIBAPRICONV_TSVN.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\INTL3_SVN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8
.0.50727.762_X-WW_6B128700\MSVCP80.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SHFOLDER.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\ICONV\WINDOWS-1252.SO
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\ICONV\_TBL_SIMPLE.SO
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\ICONV\UTF-8.SO
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CSCUI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CSCDLL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RICHED32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RICHED20.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WIN.INI
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USERENV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DRPROV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTLANMAN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETUI0.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETUI1.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETRAP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SAMLIB.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DAVCLNT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTSHRUI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ATL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WPDSHEXT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144C
CF1DF_1.0.2600.2180_X-WW_522F9F82\GDIPLUS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\PORTABLEDEVICEAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\AUDIODEV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WMVCORE.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WMASF.DLL
\DEVICE\HARDDISKVOLUME2\MARK\ITUNES\EMINEM\CURTAIN CALL - THE HITS (EDITED VERSI
ON)\SHAKE THAT (EDITED VERSION).M4A
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSIMTF.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SECUR32.DLL
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\Mark\LOCAL SETTINGS\TEMPORARY INT
ERNET FILES\CONTENT.IE5\INDEX.DAT
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\Mark\COOKIES\INDEX.DAT
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\Mark\LOCAL SETTINGS\HISTORY\HISTO
RY.IE5\INDEX.DAT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASMAN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\TAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RTUTILS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSV1_0.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IPHLPAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SENSAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSCTF.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\URLMON.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MLANG.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WSOCK32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\HNETCFG.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WSHTCPIP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DNSAPI.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\BONJOUR\MDNSNSP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASADHLP.DLL
NoteCase For Those Case Notes and Outlines
While I was surfing for something to create a task type list I came across this software NoteCase note manager. It can be found here. Here is there brief description from there site:
NoteCase is a hierarchical note manager (aka. outliner). It helps you organize your everyday text notes into a single document, with individual notes placed in the tree-like structure (each note can have its sub-notes, ...). To ensure your privacy, encrypted document format is supported, along with standard unencrypted format. Project is free and open source.
After choosing which version to download (I went with the Windows portable version so I can take it with me) and installing it I started to play around with it. Now this is a pretty cool open source project. What it allows you to do is to create a outline (series of expandable nodes) and add text, pictures, links and attachments to each node. You can add a date time entry and also cross out entries as you create them. If saving your file encrypted is an option you want you can do that also. You can even export into html, text and even an executable. If you want to use another language other then English you have your choice of 33 other languages. I blogged last year about TiddlyWiki and how it was nice to have something to carry with you to take notes and so forth and I would rate this product right up there with TiddlyWiki, especially since it does so many languages (looking at where you readers are I can see where the other languages would come in handy).
Thoughts/comments/questions?
Addendum, Feb 28. 2008
I forgot to mention that NoteCase is available for all these platforms:
Linux/Unix (with GTK+ 2.x installed)
Windows 9x/2000/XP/Vista
Mac OS X
Free BSD (available elsewhere on Internet)
Sharp Zaurus platform (running pdaxrom or angstrom Linux distro)
Nokia Maemo platform (Nokia N770/N800)
Nokia Maemo OS2008 platform (Nokia N800/N810)
Wednesday, January 23, 2008
Mount That DD Image with VMWare........
As most of you are aware you can use Live View to create a virtual machine so you can boot up and check it out. If you use the snapshot feature to make it read only then you can do what ever you want to the image and it will not harm it (I won't go into VMWare's Snapshot features). Now what if you want to mount one of the partitions to a drive and scan it with a virus scanner or some other tool? Well now you can, by using the 4 Perl scripts and executables I created. The zip file containing the Perl scripts and executables can be found here.
Now in order to use these scripts you will need to have created the DD image into a VMware machine using LiveView (this is so that a snapshot is taken and you can revert back to the snapshot, this makes it read only, make sure you do this otherwise it will not be read only). Once you have created the VM here is what you need to do, run the following programs:
vm-vol-list.exe <PATH to VM>\<VMDK File> -- path and file in quotes if it contains spaces
This will list all the volumes in this virtual machine. You need to pick the one you want mounted then issue the following command.
vm-mount.exe <PATH to VM>\<VMDK File> <Drive Letter to mount to without :> <Volume number from previous step> -- path and file in quotes if it contains spaces
This will then mount your volume to the drive specified. You can then do anything you want. To unmount the drive issue the following command.
vm-unmount.exe <Drive Letter to mount to without :>
This will umount the volume from the drive. To revert the image back to its original state issue the following command.
vm-snapshot.exe <PATH to VM>\<VMX File> -- path and file in quotes if it contains spaces NOTE: vmx file not the vmdk file.
This will revert any changes that were made back so the image will look exactly as it did just before you mounted it. This uses the default snapshot name created by Live View so if you use another name then you will have to change the Perl script.
Questions/Comments/Thoughts???
Saturday, January 12, 2008
A file tool mark Library
Adding to Hogfly's idea about an application tool mark library and looking at my last post I think it might be interesting to have a File type tool mark library. What if you were able to look at a file and determine what program was used to create it? In my last blog I showed how a doc file that had been originally created in word once save in Word Perfect changed. Now how could this be important? Well if that file was found on a pc that did not have Word Perfect Installed then you can show that the file was not maintained there.
Thoughts/Comments/Questions??
Friday, January 11, 2008
What is your MS Office Metadata Telling You???
So you are given a couple of word documents and the person who gave them to you wants to know what you can tell them about the files. You tell them no problem and start to analyze them. You can get the files here. Now they all look like Word Docs, they open like word docs but some of them smell kinda funny. The reason some of them smell funny is that they have no normal word metadata. Now the first file has all the usual metadata but the rest of them seem to have lost their metadata. Now to cut to the chase every document after test-1.doc was opened in Word Perfect and saved in a MS Word Document format. I have not really heard any discussion about this until I came ac cross a file just like the ones I will be discussing (how I find this stuff sometimes I will never know).
The first file, test-1.doc was created in Microsoft Word 2003 and saved. If you run Harlan Carveys WMD.pl program you will see that it comes back with a whole slew of metadata. Every file after this one was opened in Word Perfect (WP) and saved in MS Word 97/XP/2003 format. You really need to look at these files in a hex editor to appreciate what is going on here.
In test-2.doc everything looks like test-1.doc except that towards the end of the file you can see where the body of the text document I typed in resides with the changes I made. This is very interesting because each time I save the file it switches between the top text and the bottom text. If you compare the 2 areas you can see one is the newly edited text and the other one is the last saved text (I numbered each sentence I types so you can tell what order I saved them in). Kinda cool how you can start to see the changes in the file. Now after the first save in WP if you search for the hex values FEFF00 you should find 2 spots in the file where the word metadata resides (my name, company, title, etc..). Now after you save the file again that first section of metadata disappears (if you look at the difference between test-2.doc and test-3.doc you will see what I mean). Now after the third save the next set of word metadata is gone (test-4.doc). Now you understand why there was no metadata. Files 5, 6 and 7 are just to show how the text of the file goes back and forth between the 2 areas. Also in the file you will see the words Corel Corporation which leads you to believe that it was edited in WP.
Now lets say that you have files test-1.doc, test-2.doc and test-3.doc what can you really say about them? Well here is what I would state about these files:
Test-1.doc was created in word, you can tell by the way the file looks and all the metadata (a word document has the same fundamental look).
test-2.doc was edited and saved in word at one time because of the presence of the 2 sections starting with FEFF00. With the words "Corel Corporation" in the file and the exact same text in 2 spots in the file I can say that the file was last saved with Word Perfect.
test-3.doc was edited and saved in word at one time because of the presence of 1 section starting with FEFF00. With the words "Corel Corporation" in the file and the there are 2 areas of edited text and they do not match then I can say that the file was saved with Word Perfect the last 2 times it was saved.
Does this make sense and do you come to the same conclusions I have?
Now one thing to note if you are using the wmd.pl program mentioned above is that after a couple of saves in WP the metadata will show that the file was created on a mac and not windows. I have told Harlan about this so he is aware of it.
Now the question to ask your self is what other programs that do a "save as" another format exhibit this type of behavior.
Now I hope I was clear in what I was saying. If not then download the files and check them out and I think it will be clearer.
Questions/Thoughts/Comments???
Subscribe to:
Posts (Atom)
