SANS Digital Forensics and Incident Response Blog

Open Sesame

Sometimes little gems come across mailing lists. Like this little
footnote announcement in Microsoft's MSDN email this
week
:

Open Specifications
<
http://go.microsoft.com/?linkid=9252946>

Microsoft is providing
open connections to its high-volume products -
Windows Vista (including the .NET Framework), Windows Server 2008, SQL
Server 2008, Office 2007, Exchange Server 2007, and Office SharePoint
Server 2007. As a developer, you now have full access to information
about protocols, binary file formats, and other specifications for
these products that can be used to create solutions

Microsoft? Open protocols? Sure enough the Microsoft
protocol program
section details the initiative including this
quick link
to the major sections including user forums, docs,
etc. To quote the page:

Documentation
for the Open Protocols will be made available without
charge and without restriction on the MSDN Library in the Open Protocol
Specifications area.

Patent licenses for
patents on Open Protocols will also be made available at low royalty
rates.

So there are docs for free and patent licenses if you plan on making
something implementing the protocols (alternative exchange clients,
etc). What does this mean to forensics? Most likely two things

  1. An increase in the number of open source tools that can
    work with Microsoft data stores and protocols
  2. An increase in the accuracy of existing open source tools
    that work with the protocols.

For example, I recently worked an email investigation where I only had
outlook .msg files and no good way to decode them. I used the ruby program msgtool
for a quick conversion of the files to rfc2822 format for analysis. This tool
is by no means complete but worked well for my purposes. A quick look at the TODO
tells you the known issues and not surprisingly a good deal of these have to do with
reverse engineering the protocol for .msg files.

Let's hope that this initiative granting access to the protocol
documentation (even version 1) will yield some fixes and new tools for decoding these common files and protocols.

Jeff Bryner, GCFA Gold #137, also holds the CISSP and GCIH certifications, occasionally teaches for SANS and performs forensics, intrusion analysis, and security architecture work on a daily basis.

1 Comments

Posted September 8, 2008 at 5:41 PM | Permalink | Reply

jeffbryner

Open spec link should be: http://go.microsoft.com/?linkid=9252946 sorry for the editor malfunction.