SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

PowerShell Timestamp Manipulation

Manipulating timestamps on Unix and Linux systems is as simple as touching a file on the file system. Of course, the individual attempting to modify timestamps will need to have permissions to do so on the file(s) in question.

On Windows based systems changing time stamps has historically required the use of third-party tools. However, Windows 7 and Windows Server 2008 will reportedly ship with Windows PowerShell installed.

Among the many advanced capabilities of Windows PowerShell is the ability to modify three different timestamps for Windows file systems. These are the file creation time, last access time and modification time. Forensic analysts should also be familiar with the metadata change time that is updated to reflect changes in

...


Rapier: A Different Data Carver

By Keven Murphy

Rapier is a data carver written for Linux. It is a bit different than the other ones out there. First of all, the data carver treats the input file as a stream of data. For example, if the header/word is broken up between cluster/sector boundaries, Rapier doesn't see the data divided up between the clusters/sectors. Instead, it ignores these boundaries. Secondly, headers and footers (footers are not 100% implemented yet) can be up to 100 bytes/characters long. Third, there are a few built-in search patterns. Those are index.dat and registry files. Like most data carvers, it doesn't review the data it carves out to see if it is good data. That part is left to the forensics examiner.

Every byte on the drive is reviewed by Rapier. I realize that this can make it run long as

...


Oracle Forensics: Toad from Quest Software

Here are some notes for Oracle related forensics concerning Toad from Quest Software.

CONNECTIONS.INI File

The CONNECTIONS.INI file stores connection information related to previously used connections. It contains the passwords, usernames, and servers the user connected to using Toad. During a forensics review, you will find bits and pieces of this file all over unallocated space and slack space depending on how much the user used Toad.

In my experience with Oracle developers, I have found this file being traded among them as it offers an easy way to pass connection information. Based on that you should be able to see how easy it is for one user to obtain credentials of another user and log in with them. All the user has to do is put the file in the proper spot, bring up Toad, and then click on the connection to log in. No password checks are made by Toad provided that previous connection listed in the

... Continue reading Oracle Forensics: Toad from Quest Software


pdymail: Yahoo! mail in memory

I thought GMail gave up quite a bit of information revealed through pdgmail. Little did I know how much was in Yahoo! mail!

pdymail is the sister script to pdgmail for gathering Yahoo! email artifacts from memory.

The good thing about web2.0 with it's AJAX, JSON, etc., interfaces is that most of it is text and even more is XML which is nicely discoverable in memory. Yahoo! mail classic interface artifacts are easily found on the hard disk in browser cache files. The new Yahoo! mail interface uses XML and while it doesn't leave much behind on the disk, it leaves tons in memory.

Like pdgmail, pdymail is a rather simple Python script tested mostly against a pddump of a process in memory. It also works against


Perl and Forensics: Keyword searches and Toad (Quest Software)

Here are some more examples of using Perl for keyword searches from the output of the string command (strings -td {blkls file}) of an image.

I had a text file (Toad Connections.ini file) that consisted of the same thing over and over again. Since the file type was ASCII text without any headers or footers, there was not an easy way to cut it out of unallocated space. Why not let Perl do the hard work.

A simplified version of the contents:

[LOGIN 1]
SERVER=test.box.com
USER=joesomebody
PASSWORD=dfsdafj^&*)(&kadf*&^09dafj234

I did a quick search for LOGIN using grep. Grep came back with over 1000 hits, which is far too many to recover by hand. Using Perl, I can recover those lines I want. The resulting Perl script is below.

#!/usr/bin/perl

$data_file="image.dd.slack.asc";
$out_file="login_srch_slack.out";

# Opens up the file to be read in
open(IFH,

... Continue reading Perl and Forensics: Keyword searches and Toad (Quest Software)