SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Rapier: A Different Data Carver

By Keven Murphy

Rapier is a data carver written for Linux. It is a bit different than the other ones out there. First of all, the data carver treats the input file as a stream of data. For example, if the header/word is broken up between cluster/sector boundaries, Rapier doesn't see the data divided up between the clusters/sectors. Instead, it ignores these boundaries. Secondly, headers and footers (footers are not 100% implemented yet) can be up to 100 bytes/characters long. Third, there are a few built-in search patterns. Those are index.dat and registry files. Like most data carvers, it doesn't review the data it carves out to see if it is good data. That part is left to the forensics examiner.

Every byte on the drive is reviewed by Rapier. I realize that this can make it run long as


Oracle Forensics: Toad from Quest Software

Here are some notes for Oracle related forensics concerning Toad from Quest Software.


The CONNECTIONS.INI file stores connection information related to previously used connections. It contains the passwords, usernames, and servers the user connected to using Toad. During a forensics review, you will find bits and pieces of this file all over unallocated space and slack space depending on how much the user used Toad.

In my experience with Oracle developers, I have found this file being traded among them as it offers an easy way to pass connection information. Based on that you should be able to see how easy it is for one user to obtain credentials of another user and log in with them. All the user has to do is put the file in the proper spot, bring up Toad, and then click on the connection to log in. No password checks are made by Toad provided that previous connection listed in the

... Continue reading Oracle Forensics: Toad from Quest Software

pdymail: Yahoo! mail in memory

I thought GMail gave up quite a bit of information revealed through pdgmail. Little did I know how much was in Yahoo! mail!

pdymail is the sister script to pdgmail for gathering Yahoo! email artifacts from memory.

The good thing about web2.0 with it's AJAX, JSON, etc., interfaces is that most of it is text and even more is XML which is nicely discoverable in memory. Yahoo! mail classic interface artifacts are easily found on the hard disk in browser cache files. The new Yahoo! mail interface uses XML and while it doesn't leave much behind on the disk, it leaves tons in memory.

Like pdgmail, pdymail is a rather simple Python script tested mostly against a pddump of a process in memory. It also works against

Perl and Forensics: Keyword searches and Toad (Quest Software)

Here are some more examples of using Perl for keyword searches from the output of the string command (strings -td {blkls file}) of an image.

I had a text file (Toad Connections.ini file) that consisted of the same thing over and over again. Since the file type was ASCII text without any headers or footers, there was not an easy way to cut it out of unallocated space. Why not let Perl do the hard work.

A simplified version of the contents:


I did a quick search for LOGIN using grep. Grep came back with over 1000 hits, which is far too many to recover by hand. Using Perl, I can recover those lines I want. The resulting Perl script is below.



# Opens up the file to be read in

... Continue reading Perl and Forensics: Keyword searches and Toad (Quest Software)

NCS vs DRN - Taking Notes

Intro to Notes

If computer forensics is to be taken as a science, a key requirement is that results be repeatable. A key part of repetition is the quality of your notes.

Notes are an important aspect of an investigation. No matter how good of a memory you have, something is bound to slip through the cracks at some point. Take the size of some investigations, the length of time it may take before anyone takes action on your report, and the size of many case loads and a lack of notes can be a recipe for disaster. On the other hand, note taking style is a big matter of personal preference with no industry standard way of approaching the situation. I thought we might talk a bit about different options and problems that come from note taking, and hope that some others will chime in with how they approach the problem.


First question that comes up with note taking, is where do you want to do it? Low tech has some

... Continue reading NCS vs DRN - Taking Notes