SANS Digital Forensics and Incident Response Blog: Author - Keven Murphy

Firefox 3.X Forensics: Using F3e

In my current role as a corporate investigator, I tend to review web browser histories in most of my cases. Due to that, I am always looking for additional tools to review web browser histories and I think Mr. Chris Cohen has written a nice one for Firefox 3.X.

A little background on Firefox....

Firefox 3.X uses a SQLite databases to store:

  • Internet browsing history
  • Bookmarks
  • Settings
  • Downloads
  • Cookies
  • Form History
  • and more.

As you can see it can be a treasure trove of data in the various SQLite files such as downloads.sqlite, formhistory.sqlite, places.sqlite, and etc. Sometimes finding a good tool to extract the data can be challenging.

Mr. Chris Cohen has written a freeware tool called Firefox 3 Extractor or f3e for short. F3e can

... Continue reading Firefox 3.X Forensics: Using F3e


RegRipper: Ripping Registries With Ease

Harlan Carvey's RegRipper, available at http://www.regripper.net/, is fantastic tool for getting data quickly out of the registry whether you are doing it for incident response or forensics. In essence what it does is produce reports based upon pre-canned registry searches. All you need to do is give it the registry file you want to review, give it a location for the report, and select the type of registry file. Then push a button.

RegRipper uses plugins to extract information out of the registry files. Each plugin has been created to handle the data that is stored in the registry key it has been setup to review. For example, the plugins will decode the ROT-13 encrypted data and translate binary data to ASCII.

Example Screen Shot


Rapier: A Different Data Carver

By Keven Murphy

Rapier is a data carver written for Linux. It is a bit different than the other ones out there. First of all, the data carver treats the input file as a stream of data. For example, if the header/word is broken up between cluster/sector boundaries, Rapier doesn't see the data divided up between the clusters/sectors. Instead, it ignores these boundaries. Secondly, headers and footers (footers are not 100% implemented yet) can be up to 100 bytes/characters long. Third, there are a few built-in search patterns. Those are index.dat and registry files. Like most data carvers, it doesn't review the data it carves out to see if it is good data. That part is left to the forensics examiner.

Every byte on the drive is reviewed by Rapier. I realize that this can make it run long as

...


Oracle Forensics: Toad from Quest Software

Here are some notes for Oracle related forensics concerning Toad from Quest Software.

CONNECTIONS.INI File

The CONNECTIONS.INI file stores connection information related to previously used connections. It contains the passwords, usernames, and servers the user connected to using Toad. During a forensics review, you will find bits and pieces of this file all over unallocated space and slack space depending on how much the user used Toad.

In my experience with Oracle developers, I have found this file being traded among them as it offers an easy way to pass connection information. Based on that you should be able to see how easy it is for one user to obtain credentials of another user and log in with them. All the user has to do is put the file in the proper spot, bring up Toad, and then click on the connection to log in. No password checks are made by Toad provided that previous connection listed in the

... Continue reading Oracle Forensics: Toad from Quest Software


Perl and Forensics: Keyword searches and Toad (Quest Software)

Here are some more examples of using Perl for keyword searches from the output of the string command (strings -td {blkls file}) of an image.

I had a text file (Toad Connections.ini file) that consisted of the same thing over and over again. Since the file type was ASCII text without any headers or footers, there was not an easy way to cut it out of unallocated space. Why not let Perl do the hard work.

A simplified version of the contents:

[LOGIN 1]
SERVER=test.box.com
USER=joesomebody
PASSWORD=dfsdafj^&*)(&kadf*&^09dafj234

I did a quick search for LOGIN using grep. Grep came back with over 1000 hits, which is far too many to recover by hand. Using Perl, I can recover those lines I want. The resulting Perl script is below.

#!/usr/bin/perl

$data_file="image.dd.slack.asc";
$out_file="login_srch_slack.out";

# Opens up the file to be read in
open(IFH,

... Continue reading Perl and Forensics: Keyword searches and Toad (Quest Software)