SANS Digital Forensics and Incident Response Blog

Windows Viewers & Information Extractors for Various File Types

I'd been doing a bit of work with EnCase to optimize my configuration and minimize the amount of work required to view various file types or extract specific data from them. The results from this are a list of applications and a few associated options for use in employing them as viewer plugins for your forensic tool of choice.

1. Regripper

This tool, developed and maintained by Harlan Carvey, author of Windows Forensic Analysis, is a great all-purpose registry data extractor. It has many different plugins that handle extraction of different information, and I believe that Harlan updates it frequently. I sometimes browse its output by eye when digging for things that are frustratingly nonspecific.

It's a command-line-only utility, but you can run it from within a GUI tool such as Encase by specifying CMD as the actual command, and then putting the meat into the options, such as "/c cd /d fullpathregripper&rip -r [file] -f sam&pause" this will dump the text output into the buffer of the CMD shell (which will, of course need its default size expanded), then pause until the user hits the spacebar. You can copy and paste items of note out of the buffer while it's open if desired. I have 6 different lines of this nature in my Encase configuration to deal with the various different registry file types supported by regripper.

2. NavRoad Offline HTML Browser

Often, html files recovered from a subject's browser cache won't display properly in a browser because of missing content that's expected to be downloaded directly. NavRoad gets around that, and will usually format all of an html document's content for display.

3. 7zip

The 7zip archive browser, 7zFM, is a great way to deal with a large assortment of archive formats which may or may not be directly supported by your forensic tool of choice.

4. GlobFX Swiff Player

When examining downloaded multimedia web content, you often come across downloaded shockwave flash (.swf) movies. This application allows them to be played normally.

5. Wimpy FLV Player

FLV is a different flash video format. I've found it typically used for youtube content.

6. VideoLAN VLC

I've found this open source multimedia player application to be one of the most reliable ways to play almost any audio/video content. There's no need to download any special codecs. The only things I've found so far that it won't play are flash and some of the realmedia formats. It may also have issues with DRM protected files, but I haven't run into any yet.

7. RealPlayer

As mentioned above, VLC has issues with some of real.com's special formats, so I also include their player as a viewer.

8. SQLite Database browser

There are a number of applications that store cache or configuration data in the sqlite database format. I've mentioned a couple of them in previous blog postings. This application lets you examine the data contained in such a database directly.

9. Exiftool

I originally obtained this tool specifically for extracting embedded metadata from within .jpg files. I've since discovered that it also does a pretty good job on MS Office documents, and examination of the documentation shows that it supports a plethora of other file types.

10. AccessPDF pdftk

This tool is specifically designed to extract metadata from within PDF documents. Like regripper above, it's a command-line-only tool, so executing it from within a GUI application takes some finagling. As with regripper, I use CMD as the application, and put the meat in the options, "/c fullpathpdftk-1.12pdftk.exe [file] dump_data output - & pause".

11. Pinpoint Metaviewer

Another GUI application for extracting metadata from MS Office documents.

12. Codeplex JSON Viewer

I dug up this utility while working on analyzing the content of gmail datapack files. It's able to take the text from one of those files and format it so that it's easy to make visual sense of. I don't use it a lot, but I think it's handy.

13. Extract

Extract is a command line utility that's provided as part of the open-source libextractor library for linux. It's what metagoofil uses to extract metadata, and was the first metadata viewer that I attempted to install. By dint of much persistence, I was able to compile it under Windows using the current version of cygwin. I also had to download and install the following packages (most of them were just trying to get PDF extraction to work, and not all of them may have actually been necessary): freetype-2.3.1, lesstif-0.95.0, libgsf-1.14.10, libmpeg2-0.5.1, t1lib-5.1.0, xpdf-3.02. This may or may not actually be worth the work, as I'm not sure that it extracts any data that the other metadata viewers I've found since (see above) do not.

14. Please add comments with file types you can't browse, or file browsers that you think are useful

I'll start the ball rolling. I'm looking for something I can use to play .qtch Quicktime cache files. Alternatively, I'd like to at least be able to determine what the URL download was that caused the creation of the cache file. Does anybody know anything that can be done with these files?

As always, you're also welcome to leave commentary if you liked this article or want to call me on the carpet for some inaccuracy.

John McCash, GCFA Silver #2816, is currently a Forensic Investigator employed by a fortune 500 telecommunications equipment provider.

1 Comments

Posted December 18, 2008 at 6:45 AM | Permalink | Reply

keydet89

John,
Thanks for the shout-out!
> It's a command-line-only utility''
No, RegRipper is a full GUI tool. The accompanying CLI tool is "rip", and both are shipped as Perl script source code as well as Windows EXE files. In this way, RegRipper is similar to AutoRuns from MS.
RegRipper was designed in a manner similar to Nessus, in that plugins are Perl scripts and appear in plain text. This way, you can see what the plugins do, and in at least one case that I'm aware of, write your own. The current plugins can also be modified as necessary.
What I think is very powerful about RegRipper is the visibility it provides into the Windows Registry. Rather than simply dumping all keys and their LastWrite times, specific information that is useful to a forensic analyst is extracted. In several plugins, data is not only extracted, but it is displayed in a manner that is easier to understand. Further, some plugins extract information from several locations within the hive file, correlating that information into a useful display, leaving the raw information intact, should it need to be independently verified later.
RegRipper is available (completely free!) from RegRipper.net. I've written some plugins that I haven't added to the distribution, such as getting the hibernation status and parsing the SafeBoot subkey contents (some malware creates subkeys in order to be loaded even when booting to SafeMode). However, the REAL power of RegRipper is the forensic community''if you have something that you need to extract, write a plugin, and share it. If you feel as if you want some data extracted and correlated, but do not feel that your programming skills are up to snuff, I'm willing to try and provide a plugin''all I ask for is a concise description of what you're looking for and an example hive file.