SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Using Image Offsets

Hal Pomeranz, Deer Run Associates

One of the basic techniques we teach in SANS Forensic classes is "carving" out partition images from complete raw disk images. All it takes is a little facility with mmls and dd. Here's a quick example of carving an NTFS partition out of a disk image to show you what I mean:

$ mmls -t dos drive-image.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description
00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000001 0000000062 0000000062 Unallocated
02: 00:00 0000000063 0000064259 0000064197 DOS FAT12 (0x01)
03: 00:01 0000064260 0000273104 0000208845 DOS Extended (0x05)


NTFS: Attributes Part One

In the previous post in this series on NTFS file systems, we were just dipping our feet in the complicated waters by examining the output of fsstat. Let's pick up where we left off. Below is the $AttrDef Attribute Values section of fsstat's output from the previous post:

$AttrDef Attribute Values:
$STANDARD_INFORMATION (16) Size: 48-72 Flags: Resident
$ATTRIBUTE_LIST (32) Size: No Limit Flags: Non-resident
$FILE_NAME (48) Size: 68-578 Flags: Resident,Index
$OBJECT_ID (64) Size: 0-256 Flags: Resident
$SECURITY_DESCRIPTOR (80) Size: No Limit Flags: Non-resident
$VOLUME_NAME (96) Size: 2-256 Flags: Resident
$VOLUME_INFORMATION (112) Size: 12-12


Learn To Investigate Data Breach Incidents

Computer Forensic Training is becoming more critical to your organizations incident response plan due to some of the current threats that are being discovered. Organizations will find more and more that they will need a team of trained incident responders and computer forensic analysts. Your organization needs to be prepared on how to handle sophisticated incidents and organized groups that can easily walk around your perimeter defenses.

Here are just a few recent headlines over the last year scoping the current threat against many networks.

MSNBC: "Report: Obama helicopter security breached. Pa company says blueprints for Marine One found at Iran IP address"

Wall Street Journal: "Computer Spies Breach Fighter-Jet Project"


NTFS: An Introduction

Earlier this year, a life time ago in internet years, I published a series of posts on the FAT file system. Over the next few months, I'll be publishing a similar series on NTFS. Much of the information contained in these posts will come from Brian Carrier's excellent book, File System Forensic Analysis, articles from Microsoft and other sources. Where applicable, specific sources will be cited within each blog post.

On day one of SANS Sec 508: Computer Forensics, Investigation and Response we cover the most common file systems in detail. Almost without fail, someone asks if the material is really important


'Free Download Manager' Log Extraction

Recently I worked on a case that required I reverse engineer some file formats used by the 'Free Download Manager' application. This is a popular download management application available from

The version of the application I analyzed stores its logs under 'userprofile\\Application Data\\Free Download Manager'. It uses a number of files to handle different logs and track various in-process tasks. Here's a list of the files I found there:

  • dlmgrsi.sav - This is actually a short executable of some description. Not sure what it's for.
  • downloads.his.sav - Log file using the following format: Starts with the null-terminated header "FDM Downloads History". Then 8 bytes of unknown data, followed by a list of records as follows,