SANS Digital Forensics and Incident Response Blog: Author - johnmccash

Automated Recovery of Multimedia from Unallocated Space

By John McCash

A couple of weeks ago, Quinn Shamblin posted his article on recovering mp3 data from unallocated space. This set me to thinking. The methods he described seemed generically applicable to other types of multimedia content, but I'm not an expert on those types of file formats, so I went looking. A few comments back and forth later (Thanks drpaha!), and I had a new tool to try out, Defraser. From the Sourceforge project page:

"Defraser is a forensic analysis application that can be used to detect full and partial multimedia files in datastreams. It is typically used to find (and restore) complete or partial


Application Metadata of Nested Documents

by John McCash

I was drawn to consider someting by a question on a certification practical exam I recently took. The problem had been presented as "find the specified text in the supplied disk image". However the text actually turned out to be viewable in a jpeg file which was nested inside a Word document. Once I'd found the text, the question was essentially answered, but then I started thinking about extraction options and the origins of that JPEG file.

I recalled a tool I'd recently discovered thanks to traffic on the GCFA mailing list, hachoir-subfile. The original email context was about using this tool to extract executable objects from PPS files, but it turns out that it works equally well to extract .jpg files. I had always assumed that when image files were incorporated into MS Office documents, they were somehow re-encoded,


Dates from Unallocated Space

By John McCash

A recent podcast I listened to (Forensic 4cast - Well worth the time to listen to it) made a statement which I took as an implication that files recovered from unallocated space were useless in most investigations because they lacked the filesystem metadata, specifically the MAC times. While it's true that the lack of this data can be a significant handicap, I disagreed rather strongly with that, and my disagreement forms the basis for this blog entry. I did follow up with Lee (Hi Lee!) at Forensic 4cast, and such a blanket implication was unintentional. Nonetheless, I think it worthwhile to enumerate for the community a number of points to consider when sieving through unallocated space.

Dates in particular, as well as other file metadata, can be extracted from many file types. Additionally, often filesystem


Windows Viewers & Information Extractors for Various File Types

I'd been doing a bit of work with EnCase to optimize my configuration and minimize the amount of work required to view various file types or extract specific data from them. The results from this are a list of applications and a few associated options for use in employing them as viewer plugins for your forensic tool of choice.


ShellBags Registry Forensics

I just found the coolest tool, and had to tell everyone about it.

Apparently the Windows registry keeps track of the display size of a folder window across different sessions. This information is stored in the registry, and is not cleaned up when the associated folders are deleted.

Is anybody drooling yet?

Even better, it keeps these values for folders that reside on external storage! Ever want to know what the folder structure on a suspect's USB stick that you didn't get looked like? Read on!

The data is stored as binary blobs under the following registry keys:

  • HKCU\\Software\\Microsoft\\Windows\\Shell\\BagMRU
  • HKCU\\Software\\Microsoft\\Windows\\Shell\\Bags
  • HKCU\\Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU
  • HKCU\\Software\\Microsoft\\Windows\\ShellNoRoam\\Bags