Here is some nice File Recovery Tools that you can use for free.
Tools comparison made by By Sarah James:
http://www.7tutorials.com/file-recovery-tools-recuva-restoration-softperfect-pc-inspector-diskdigger
The winner is:
Recuva: http://www.piriform.com/recuva/download
&
Restoration: http://restoration.softpedia.com
Enjoy it ! ;)
Wednesday, December 7, 2011
Tuesday, November 29, 2011
Domain Logon Event Log
If you are working in the Global Company environment, where you have multiple Domain Controller (Authentication) Server all around the world location. Please make sure all the DC timezone setting are set properly according to the location. In digital forensics world "Date & Time" is very critical and important!.
Beside that, if you have Central Log Management Server, please make sure it has the capability to translate the timezone captured to GMT time setting once it log in the server. This will make your life easy. Else you will need to translate the time manually when you want to trace the actual incident happen.
Domain Logon Event Log is the best place to trace where the subject have gone and your starting point for forensics case investigation.
Beside that, if you have Central Log Management Server, please make sure it has the capability to translate the timezone captured to GMT time setting once it log in the server. This will make your life easy. Else you will need to translate the time manually when you want to trace the actual incident happen.
Domain Logon Event Log is the best place to trace where the subject have gone and your starting point for forensics case investigation.
Monday, November 14, 2011
Unified Extensible Firmware Interface - UEFI
According to the article below "UEFI" will be replacing BIOS by 2012/13. We just wait an see.
Q: What is UEFI?
A: UEFI (Unified Extensible Firmware Interface) will be a specification detailing an interface that helps hand off control of the system for the pre-boot environment (i.e.: after the system is powered on, but before the operating system starts) to an operating system, such as Windows* or Linux*. UEFI will provide a clean interface between operating systems and platform firmware at boot time, and will support an architecture-independent mechanism for initializing add-in cards.
URL: http://www.uefi.org/about/
This sure will give an impact to the Digital Forensics work in some way. More ways for data storage and malware/virus to hide. ;).
Goodbye BIOS, hello UEFI
"UEFI is a mini-operating system that sits on top of a computer's hardware and firmware. Instead of being stored in firmware, as is the BIOS, the UEFI code is stored in the /EFI/ directory in non-volatile memory. Thus, UEFI can be in NAND flash memory on the motherboard or it can reside on a hard drive, or even on a network share."
UEFI System control from Asus
Details: http://www.itworld.com/hardware/222791/goodbye-bios-hello-uefi?page=0,1Q: What is UEFI?
A: UEFI (Unified Extensible Firmware Interface) will be a specification detailing an interface that helps hand off control of the system for the pre-boot environment (i.e.: after the system is powered on, but before the operating system starts) to an operating system, such as Windows* or Linux*. UEFI will provide a clean interface between operating systems and platform firmware at boot time, and will support an architecture-independent mechanism for initializing add-in cards.
URL: http://www.uefi.org/about/
This sure will give an impact to the Digital Forensics work in some way. More ways for data storage and malware/virus to hide. ;).
Thursday, November 10, 2011
Investigate and Verify an SSL or code signing certificate
These day you can hear a lot of news regarding certificate compromise issues in the news as below link:
Malware Signed With a Governmental Signing Key
URL: http://www.f-secure.com/weblog/archives/00002269.html
Experts weigh in on Comodo SSL certificate fraud
URL: http://www.scmagazineus.com/experts-weigh-in-on-comodo-ssl-certificate-fraud/article/199109/
DigiNotar said attack is to blame for certificate compromise
URL: http://www.scmagazineus.com/diginotar-said-attack-is-to-blame-for-certificate-compromise/article/210891/
If you need to investigate or validate who is the owner of specific SSL Certificate, you can get the information from below link. It is an online search database for an SSL or code signing certificate provided by VeriSign Authentication Services. This is one of the provider. You can also Google around for more. ;)
URL: https://securitycenter.verisign.com/celp/enroll/outsideSearch?application_locale=VRSN_US&originator=VeriSign:CELP
Malware Signed With a Governmental Signing Key
URL: http://www.f-secure.com/weblog/archives/00002269.html
Experts weigh in on Comodo SSL certificate fraud
URL: http://www.scmagazineus.com/experts-weigh-in-on-comodo-ssl-certificate-fraud/article/199109/
DigiNotar said attack is to blame for certificate compromise
URL: http://www.scmagazineus.com/diginotar-said-attack-is-to-blame-for-certificate-compromise/article/210891/
If you need to investigate or validate who is the owner of specific SSL Certificate, you can get the information from below link. It is an online search database for an SSL or code signing certificate provided by VeriSign Authentication Services. This is one of the provider. You can also Google around for more. ;)
URL: https://securitycenter.verisign.com/celp/enroll/outsideSearch?application_locale=VRSN_US&originator=VeriSign:CELP
Monday, November 7, 2011
Recovering and identifing the owner of the NTUSER.DAT from a re-format Windows OS hard disk
Challenges:
Suspect manage to reformat the desktop machine before the raid.
Objective:
To recover and identify the owner of the "NTUSER.DAT" registry file from a re-format Windows OS hard disk.
Research:
Found one good mini-whitepaper from Andrew Case regarding "Recovering and Analyzing Deleted Registry Files" at http://dfsforensics.blogspot.com/2011/09/recovering-and-analyzing-deleted.html. I can use some of the steps to speed up my process.
I used Encase to do the data recovery process. Once the recovery process completed, I filter out the files and extract "NTUSER.DAT" files using "copy folder" feature. Now I have about 10 "NTUSER.DAT" files in their original folder structure ready to inspect. So, which one is the valid registry files?
Base on the mini-whitepaper, I can use "reglookup.exe" to validate the good registry files. Here the author used one-liner bash scripting, but I am on Windows platform now. Ok, here come some creative thinking to polish up my MS Dos batch scripting. I have created 2 batch files which is "Generate_File_Listing.bat" to list down the NTUSER.DAT files path and "Find_Valid_Registry_Hive.bat" to validate the registry files as below.
File Name: Generate_File_Listing.bat
@Echo Off
SetLocal EnableDelayedExpansion
Set N=
Set ReglookupOutputFolder="D:\CaseID\Registry_Analysis\reglookup-output\"
Set EvidenceFolder="D:\CaseID\Registry_Analysis\Evidence\"
For /R %EvidenceFolder% %%a in (*.DAT) DO (
Set /a N+=1
echo !N!-%%a >> %ReglookupOutputFolder%\List_of_NTUSER.DAT.txt
)
File Name: Find_Valid_Registry_Hive.bat
@Echo Off
SetLocal EnableDelayedExpansion
Set N=
Set ReglookupExe="C:\Tools\reglookup-win32-1.0.1\reglookup.exe"
Set ReglookupOutputFolder="D:\CaseID\Registry_Analysis\reglookup-output\"
Set EvidenceFolder="D:\CaseID\Registry_Analysis\Evidence\"
For /R %EvidenceFolder% %%a in (*.DAT) DO (
Set /a N+=1
%ReglookupExe% "%%a" > %ReglookupOutputFolder%\result-!N!.txt
)
Here is the result:
So now I know that I got only 2 "NTUSER.DAT" valid registry files to check. The rest of the files is not valid since the result file is 0 KB. Next I need to check who is the owner of the "NTUSER.DAT" file. Here I used another tool called "Windows Registry Recovery" from http://www.mitec.cz/wrr.html to get the user owner information. You also can read it from the RAW "NTUSER.DAT" files if you know the location of the information.
Suspect manage to reformat the desktop machine before the raid.
Objective:
To recover and identify the owner of the "NTUSER.DAT" registry file from a re-format Windows OS hard disk.
Research:
Found one good mini-whitepaper from Andrew Case regarding "Recovering and Analyzing Deleted Registry Files" at http://dfsforensics.blogspot.com/2011/09/recovering-and-analyzing-deleted.html. I can use some of the steps to speed up my process.
I used Encase to do the data recovery process. Once the recovery process completed, I filter out the files and extract "NTUSER.DAT" files using "copy folder" feature. Now I have about 10 "NTUSER.DAT" files in their original folder structure ready to inspect. So, which one is the valid registry files?
Base on the mini-whitepaper, I can use "reglookup.exe" to validate the good registry files. Here the author used one-liner bash scripting, but I am on Windows platform now. Ok, here come some creative thinking to polish up my MS Dos batch scripting. I have created 2 batch files which is "Generate_File_Listing.bat" to list down the NTUSER.DAT files path and "Find_Valid_Registry_Hive.bat" to validate the registry files as below.
File Name: Generate_File_Listing.bat
@Echo Off
SetLocal EnableDelayedExpansion
Set N=
Set ReglookupOutputFolder="D:\CaseID\Registry_Analysis\reglookup-output\"
Set EvidenceFolder="D:\CaseID\Registry_Analysis\Evidence\"
For /R %EvidenceFolder% %%a in (*.DAT) DO (
Set /a N+=1
echo !N!-%%a >> %ReglookupOutputFolder%\List_of_NTUSER.DAT.txt
)
File Name: Find_Valid_Registry_Hive.bat
@Echo Off
SetLocal EnableDelayedExpansion
Set N=
Set ReglookupExe="C:\Tools\reglookup-win32-1.0.1\reglookup.exe"
Set ReglookupOutputFolder="D:\CaseID\Registry_Analysis\reglookup-output\"
Set EvidenceFolder="D:\CaseID\Registry_Analysis\Evidence\"
For /R %EvidenceFolder% %%a in (*.DAT) DO (
Set /a N+=1
%ReglookupExe% "%%a" > %ReglookupOutputFolder%\result-!N!.txt
)
Here is the result:
Wednesday, November 2, 2011
Unlock the process that holding folder or file
Today I got one annoying error message given by Windows OS when I want to delete one folder name. The folder name is "." and it keep on giving me this error message "Cannot delete file: Cannot read from the source file or disk".
I try to use command prompt to delete it, changed permission, take owner ship of the folder and many more. However it still give me the same error message back.
Why I cannot delete this folder? I want to know is there any process holding this folder? My objective is simple to find the process that holding the folder. May be "Process Explorer" from Windows Sysinternals can help and after do some research I found that there is one nice free tool called "unlocker" from "Empty Loop" http://www.emptyloop.com/unlocker
Once you have installed the application, just go to the folder/file that you want to check and simply right click the folder/file and select "Unlocker" to display any process that holding the folder/file. Then you can unlock/kill the process that holding the folder/file.
After that I try again to delete the folder. Walaaaaaa..it work, I manage to delete the folder as normal again. ;)
-Other annoying error message given by Windows OS when you want to delete folder/file:
Cannot delete file: Access is denied
There has been a sharing violation.
The source or destination file may be in use.
The file is in use by another program or user.
Make sure the disk is not full or write-protected and that the file is not currently in use.
There has been a sharing violation.
The source or destination file may be in use.
The file is in use by another program or user.
Make sure the disk is not full or write-protected and that the file is not currently in use.
Friday, October 28, 2011
Scripting and Programing for Forensics Examiner
It will be a good skill set if you can learning some scripting and programing language to speed-up your Digital Forensics works/investigation.
I know, there are tools available out there to help you. However you need to go deep, under the hood to understand what is going on.
You can start with Python if you like :)
http://www.python.org
A pure Python interface to parsing and reading Windows Registry files:
http://www.williballenthin.com/registry
python-registry was originally written by Willi Ballenthin
or VBscript:
http://msdn.microsoft.com/en-us/library/t0aew7h6%28v=VS.85%29.aspx
I know, there are tools available out there to help you. However you need to go deep, under the hood to understand what is going on.
You can start with Python if you like :)
http://www.python.org
A pure Python interface to parsing and reading Windows Registry files:
http://www.williballenthin.com/registry
python-registry was originally written by Willi Ballenthin
or VBscript:
http://msdn.microsoft.com/en-us/library/t0aew7h6%28v=VS.85%29.aspx
Investigate and validating email addresses source
The link below will teach you on:
How to trace an email address source from most popular email service provider and application:
http://www.onimoto.com/cache/50.html
http://www.visualware.com/resources/tutorials/email.html
http://www.howtogeek.com/108205/htg-explains-what-can-you-find-in-an-email-header/
Validating the email address source:
http://centralops.net/co/EmailDossier.aspx
Free Online Tracking E-Mail Header:
http://www.ip-address.org/tracker/trace-email.php
http://www.traceemail.com/trace-email-header.html
How to trace an email address source from most popular email service provider and application:
http://www.onimoto.com/cache/50.html
http://www.visualware.com/resources/tutorials/email.html
http://www.howtogeek.com/108205/htg-explains-what-can-you-find-in-an-email-header/
Validating the email address source:
http://centralops.net/co/EmailDossier.aspx
Free Online Tracking E-Mail Header:
http://www.ip-address.org/tracker/trace-email.php
http://www.traceemail.com/trace-email-header.html
Tuesday, October 25, 2011
PST Files Process
Remember that before you do PST files processing, please make sure that all the PST files have no password protected. Else you will miss the important data needed.
One nice free tool to recover the password:
http://www.nirsoft.net/utils/pst_password.html
How the password is saved in the pst file ?
http://www.nirsoft.net/articles/pst_password_bug.html
Detecting a Password Protected PST:
http://blogs.msdn.com/b/stephen_griffin/archive/2009/02/17/detecting-a-password-protected-pst.aspx
Outlook Personal Folders (.pst) File Format:
http://msdn.microsoft.com/en-us/library/ff385210%28v=office.12%29.aspx
"4.2 Strength of PST Password
The PST Password, which is stored as a property value in the Message store, is a superficial mechanism that requires the client implementation to enforce the stored password. Because the password itself is not used as a key to the encoding and decoding cipher algorithms, it does not provide any security benefit to preventing the PST data to be read by unauthorized parties.
Moreover, the password is stored as a CRC-32 hash of the original password string, which is prone to collisions and is relatively weak against a brute-force approach."
One nice free tool to recover the password:
http://www.nirsoft.net/utils/pst_password.html
How the password is saved in the pst file ?
http://www.nirsoft.net/articles/pst_password_bug.html
Detecting a Password Protected PST:
http://blogs.msdn.com/b/stephen_griffin/archive/2009/02/17/detecting-a-password-protected-pst.aspx
Outlook Personal Folders (.pst) File Format:
http://msdn.microsoft.com/en-us/library/ff385210%28v=office.12%29.aspx
"4.2 Strength of PST Password
The PST Password, which is stored as a property value in the Message store, is a superficial mechanism that requires the client implementation to enforce the stored password. Because the password itself is not used as a key to the encoding and decoding cipher algorithms, it does not provide any security benefit to preventing the PST data to be read by unauthorized parties.
Moreover, the password is stored as a CRC-32 hash of the original password string, which is prone to collisions and is relatively weak against a brute-force approach."
Wednesday, October 19, 2011
Tracing MAC Address Manufacturer
You only need to enter the first six hexadecimal digits of any MAC
address to get the manufacturer. Most of the common formats are
supported: 00e0cf or 00:e0:cf or 00e0.cfe2.acd1 or 00-e0-cf or 00 E0 CF would all be interpreted as 00e0cf.
http://curreedy.com/stu/nic/
http://www.coffer.com/mac_find/
https://db.uga.edu/network/public/vendorcode.cgi
http://curreedy.com/stu/nic/
http://www.coffer.com/mac_find/
https://db.uga.edu/network/public/vendorcode.cgi
Monday, October 17, 2011
Windows Event Logs Location
Where to find the event logs:
Windows OS version: NT/ Win2000/ XP/ Server 2003
Filetype: *.evt
Folder: %SystemRoot%\System32\config
Filename: SecEven.evt, AppEvent.evt, SysEvent.evt
Window OS version: Vista/ Win7 / Win8 / 2008/ 2012/ Win10/ 2016
Filetype: *.evtx
Folder: %SystemRoot%\System32\winevt\logs\
Filename: Security.evtx, Application.evtx, System.evtx
Windows OS version: NT/ Win2000/ XP/ Server 2003
Filetype: *.evt
Folder: %SystemRoot%\System32\config
Filename: SecEven.evt, AppEvent.evt, SysEvent.evt
Window OS version: Vista/ Win7 / Win8 / 2008/ 2012/ Win10/ 2016
Filetype: *.evtx
Folder: %SystemRoot%\System32\winevt\logs\
Filename: Security.evtx, Application.evtx, System.evtx
Windows 7 Computer Forensics
Here are some nice link to learn about Windows 7 Forensics. Enjoy :)!
http://computer-forensics.sans.org/blog/2009/10/27/windows-7-computer-forensics
http://computer-forensics.sans.org/blog/2011/07/05/shellbags
http://computer-forensics.sans.org/blog/2009/09/09/computer-forensic-guide-to-profiling-usb-thumbdrives-on-win7-vista-and-xp
http://computer-forensics.sans.org/blog/2009/10/27/windows-7-computer-forensics
http://computer-forensics.sans.org/blog/2011/07/05/shellbags
http://computer-forensics.sans.org/blog/2009/09/09/computer-forensic-guide-to-profiling-usb-thumbdrives-on-win7-vista-and-xp
Thursday, October 13, 2011
Investigate domains and IP addresses
Get registrant information, DNS records, Whois and more:
http://www.domaintools.com/
http://centralops.net/co/
http://www.geobytes.com/IpLocator.htm
http://www.domaintools.com/
http://centralops.net/co/
http://www.geobytes.com/IpLocator.htm
Blue Screen Of Death (BSOD) Viewer
Here is one good and free tool to view your BSOD core dump file when needed.
http://www.nirsoft.net/utils/blue_screen_view.html
http://www.nirsoft.net/utils/blue_screen_view.html
Monday, October 10, 2011
Friday, October 7, 2011
The Definition:
You can quickly get the definition from Wikipedia, the free encyclopedia :).
Digital Forensics:
"Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime.The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data."
URL: http://en.wikipedia.org/wiki/Digital_forensics
Computer Forensics:
"Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information."
URL: http://en.wikipedia.org/wiki/Computer_forensics
Digital Forensic Science:
"The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations."
URL: http://www.dfrws.org/2001/dfrws-rm-final.pdf
Computer Forensics:
"Computer forensics as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law."
URL: http://www.us-cert.gov/reading_room/forensics.pdf
Note: You can get more definition reference for the Google search result. Try it!
Base on my experience these term as below are very important in Digital Forensics or Computer Forensics definition:
Digital Forensics:
"Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime.The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data."
URL: http://en.wikipedia.org/wiki/Digital_forensics
Computer Forensics:
"Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information."
URL: http://en.wikipedia.org/wiki/Computer_forensics
Digital Forensic Science:
"The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations."
URL: http://www.dfrws.org/2001/dfrws-rm-final.pdf
Computer Forensics:
"Computer forensics as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law."
URL: http://www.us-cert.gov/reading_room/forensics.pdf
Note: You can get more definition reference for the Google search result. Try it!
Base on my experience these term as below are very important in Digital Forensics or Computer Forensics definition:
- Identification
- Preservation
- Validation
- Recovery
- Analysis
- Presentation
Hello World!
This blog site will be focus on Digital Forensics. Hope that I will keep on updating this blog. All the best to me :). You can do it!
Subscribe to:
Posts (Atom)