Links and Stuff
After traveling last week, I thought I'd throw up some updates and interesting things I've run across...
JL's got a good blog post on sources of info, including podcasts, listservs, etc. I hadn't heard of the Exotic Liability podcast before, I'll have to check that one out...checking out the web page, it looks pretty cool, especially the post about controlling web cams. JL also provides her blogroll, etc...anyone have anything to add to any of the lists she's provided?
Matt's got some new goings-on over at F-Response with the release of the F-Response EMC version 3.09.1 (Don talks it up, as well), and has posted about F-Response working with something called the Revealer Toolkit. If anyone's seen or used this before, would you care to post a review?
Links for file system stuff:
WikiPedia Common Filesystem Features
MS TechNet NTFS Time Stamps
What else? Oh, yeah...put in a little work on merging the code from two separate Prefetch (XP and Vista) file parsing scripts into one unified script, updating the code that is currently on the DVD that ships with my book. The updates to the code are based, in part, on my desire to not have a ton of code just lying around, as well as information from this blog post. I haven't actually looked at the EnScripts that are available, as the code I'm working on is intended to work on a live system, Prefetch files extracted from an acquired image, and Prefetch files accessible via a mounted (SmartMount, ImDisk, etc.) image or via F-Response. The script parses items such as the volume information block from the .pf file, getting things such as the volume serial number. Here's an example of the output of the script run against a Prefetch file on my local system:
C:\Perl>pref.pl -f c:\Windows\prefetch\MRT.EXE-1B4A8D49.pf -i
c:\Windows\prefetch\MRT.EXE-1B4A8D49.pf Fri May 15 00:37:33 2009 (1)
Volume Path : \DEVICE\HARDDISKVOLUME1
Volume Creation Date: Mon Aug 7 16:05:41 2006 Z
Volume Serial Number: 8456-B799
Since the file is from my local system, I can verify the volume serial number:
C:\Perl>vol
Volume in drive C has no label.
Volume Serial Number is 8456-B799
Pretty sweet. Analysis of the Prefetch files can lead to some interesting information, particularly when using the entire capability of the script to output such things as the embedded file paths. Prefetch files are perhaps most often tied to the named application being run on the system, the last time that application was run, and how many times it has been run. Keep in mind, though...Prefetch files by themselves do not tie the launch of the application to a user.
Speaking of Windows Forensic Analysis 2/e, one of the marketing folks at my publisher has said that copies of the book will be drop-shipped from the printer to TechnoSecurity in Myrtle Beach, SC. Unfortunately, I just found that out, and there's no way for me to get to the conference...but I'm hoping that we'll have copies of the book available at the SANS Forensic Summit in July.
Other Resources
ForensicWiki page on Visualization Software
JL's got a good blog post on sources of info, including podcasts, listservs, etc. I hadn't heard of the Exotic Liability podcast before, I'll have to check that one out...checking out the web page, it looks pretty cool, especially the post about controlling web cams. JL also provides her blogroll, etc...anyone have anything to add to any of the lists she's provided?
Matt's got some new goings-on over at F-Response with the release of the F-Response EMC version 3.09.1 (Don talks it up, as well), and has posted about F-Response working with something called the Revealer Toolkit. If anyone's seen or used this before, would you care to post a review?
Links for file system stuff:
WikiPedia Common Filesystem Features
MS TechNet NTFS Time Stamps
What else? Oh, yeah...put in a little work on merging the code from two separate Prefetch (XP and Vista) file parsing scripts into one unified script, updating the code that is currently on the DVD that ships with my book. The updates to the code are based, in part, on my desire to not have a ton of code just lying around, as well as information from this blog post. I haven't actually looked at the EnScripts that are available, as the code I'm working on is intended to work on a live system, Prefetch files extracted from an acquired image, and Prefetch files accessible via a mounted (SmartMount, ImDisk, etc.) image or via F-Response. The script parses items such as the volume information block from the .pf file, getting things such as the volume serial number. Here's an example of the output of the script run against a Prefetch file on my local system:
C:\Perl>pref.pl -f c:\Windows\prefetch\MRT.EXE-1B4A8D49.pf -i
c:\Windows\prefetch\MRT.EXE-1B4A8D49.pf Fri May 15 00:37:33 2009 (1)
Volume Path : \DEVICE\HARDDISKVOLUME1
Volume Creation Date: Mon Aug 7 16:05:41 2006 Z
Volume Serial Number: 8456-B799
Since the file is from my local system, I can verify the volume serial number:
C:\Perl>vol
Volume in drive C has no label.
Volume Serial Number is 8456-B799
Pretty sweet. Analysis of the Prefetch files can lead to some interesting information, particularly when using the entire capability of the script to output such things as the embedded file paths. Prefetch files are perhaps most often tied to the named application being run on the system, the last time that application was run, and how many times it has been run. Keep in mind, though...Prefetch files by themselves do not tie the launch of the application to a user.
Speaking of Windows Forensic Analysis 2/e, one of the marketing folks at my publisher has said that copies of the book will be drop-shipped from the printer to TechnoSecurity in Myrtle Beach, SC. Unfortunately, I just found that out, and there's no way for me to get to the conference...but I'm hoping that we'll have copies of the book available at the SANS Forensic Summit in July.
Other Resources
ForensicWiki page on Visualization Software