SANS Digital Forensics and Incident Response Blog: Author - Dave Hull

Texas PI Licensing Amendment

Yesterday on the GCFAmailing list, Rob Lee forwarded a message about a Texas House Bill that would amend the language in the Private Investigator Licensing statute that will affect computer forensic examiners. Some discussion ensued on the list as the language of the statute is not completely clear to mere mortals more comfortable converting hex values in master boot records than they are reading the law.

In the event you're in Austin and concerned, you can hurry down to the Technology, Economic Development and Workforce Committee meeting today and participate or listen in. Here are the details about the Committee meeting and sponsor of the Bill:

COMMITTEE: Technology, Economic Development & Workforce
TIME & DATE: 10:30 AM or upon final adjourn./recess, Tuesday, April 14, 2009
PLACE: E1.026
CHAIR: Rep. Mark


NetworkMiner follow up

Last week, I posted an entry about pulling binaries from pcap files. In the post, I mentioned that NetworkMiner could be used to extract binary files from pcaps automatically, but that during my testing it had failed to extract at least one file.

Shortly after publishing, I was contacted by Eric Kollmann who has done some great research on using network traffic for OS fingerprinting. Some of Kollmann's techniques have been incorporated into NetworkMiner. Kollmann wrote to tell me that I should mention my issues to Erik Hjelmvik, the primary developer of NetworkMiner.

Hjelmvik was incredibly receptive and helpful. Within a few days, he'd downloaded the same pcap file I'd tried in my testing and reported back to me that it was working for him and suggested that it


Pulling binaries from pcaps

When I started writing this post, my intention was to show off some of the capabilities of NetworkMiner for recovering files from network packet captures. I have used NetworkMiner a few times to recover malware from pcaps. I like it because it automates the process. My plan was to contrast NetworkMiner's automated process against the more manual process of extracting files using Wireshark and a hex editor or the `foremost` command.

However, NetworkMiner failed to automatically extract all the files that were being downloaded in the pcap file I was using. This underscores the importance of testing your tools. I have successfully used NetworkMiner with other pcaps to extract all files, so you mileage may vary. If you've got a packet capture that you want to extract files from, my suggestion would be to try NetworkMiner, it will


PowerShell Timestamp Manipulation

Manipulating timestamps on Unix and Linux systems is as simple as touching a file on the file system. Of course, the individual attempting to modify timestamps will need to have permissions to do so on the file(s) in question.

On Windows based systems changing time stamps has historically required the use of third-party tools. However, Windows 7 and Windows Server 2008 will reportedly ship with Windows PowerShell installed.

Among the many advanced capabilities of Windows PowerShell is the ability to modify three different timestamps for Windows file systems. These are the file creation time, last access time and modification time. Forensic analysts should also be familiar with the metadata change time that is updated to reflect changes in


More command line forensics fu

Recently, I was asked to if I could recover all images from a hard disk drive that could be linked to a specific digital camera. In this case, the EXIF data contained the make, model and serial number of the camera in question. Using some simple command fu, I was able to quickly recover all of the images. I could have used GUI tools, but I believe in keeping my command line skills polished so I try to use them as much as I can.

Here's how I did it. For the sake of demonstration, I'm using the ipcase_ntfs.img from SANS Security 508: Computer Forensics, Investigation and Response, but the concepts are the same for any hard drive image.

To begin with, extract the strings from the image as follows:

strings --radix=d image_file > image_strings.txt

Using the --radix=d causes the strings command to include the byte offset in decimal where the given string