SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Is Your index.dat File LEAKing?

One of the projects that I've been working on, has required me to become intimately familiar with index.dat files. These files (index.dat) are usually associated with Internet Explorer's browser history. If you've ever worked with index.dat files before, you've probably encountered the mysterious "LEAK" record. After some analysis, I think I've finally figured out what LEAK records are used for.

Essentially, a LEAK record is created when a cached URL entry is deleted (by calling DeleteUrlCacheEntry) and the cached file associated with the entry (a.k.a. "temporary internet file" or TIF) can not be deleted.

You can easily test this on your own system:

  1. Open Internet Explorer and surf to a web page. Ideally a page with a unique and easily identifiable name (e.g.

Windows Scheduler (at job) Forensics

This information may be useful to people responding to compromise incidents involving Windows. Typically these days, when a job is scheduled for execution later, possibly every day, week, or month, it's done via a GUI tool or 'schtasks'. However , you can still use the original command line 'at' tool. This utility also allows such jobs to be scheduled over the network if admin credentials are possessed, which makes it quite useful to an attacker for post exploitation activities. When cleaning up after something like this, it's useful to know a bit about what it does under the hood, including the formats of the associated .job file, and the structure and location of associated log entries.

[caption id="attachment_11626" align="aligncenter" width="745" caption="Figure 1: A scheduled

...


Decrypting a PointSec Encrypted Drive Using Live View, VMWare, and Helix

Doing it the HARD way!

Perhaps you remember my previous blog on EnCase and PointSec, which included my plea for Guidance Software and CheckPoint to work together to create a seamless way to decrypt drives without having to go through 20 or 30 steps to get there. I even wrote, out of desperation, A Case for Decryption of the Original, because it would save time consuming steps and not change the data relevant to an investigation.

Time for an update. As noted in my last blog on decrypting the original, VMWare no longer recognizes a raw disk as a valid disk image. Images have to be converted before

...


Flash Cookie Forensics

Flash cookies have been a hot topic lately with the release of an excellent research paper titled Flash Cookies and Privacy. Flash Cookies, or local Shared Objects in Macromedia parlance, are a great example of a forensic artifact that has existed for a long time but was virtually ignored until someone decided to shine some light on it. Whenever I see new research about problematic privacy controls, I immediately get out my notepad, because I know that I am going to find some great artifacts that can help in my forensic investigations.

First some basics:

  • Macromedia Flash has become ubiquitous on the web, providing features such as streaming video and a "rich client" experience. Many of the most popular sites on

...


Analysis of e-mail and appointment falsification on Microsoft Outlook/Exchange

Author: Joachim Metz

Summary

In digital forensic analysis it is sometimes required to be able to determine if an e-mail has or has
not been falsified. In this paper a review of certain Outlook Message Application Programming
Interface (MAPI)
is provided which can help in determining falsified e-mails or altered
appointments in an Microsoft Outlook/Exchange environment.

About the libpff project

In 2008 Joachim Metz a forensic investigator at Hoffmann Investigations started the libpff project.
At that time the best source about the Personal Folder File (PFF) format in the public domain was
the libpst project. The libpst project dated back to 2002 and had been contributed and

...