Links, Tools and Stuff
PDF Stream Dumper
From over at RE Corner comes the PDF Stream Dumper tool; actually, this one has been out for some time now. This tool was written in VB6, and comes with a number of automation scripts. Swing on by Lenny's blog for some create examples of how to use it, or check out this KernelMode page for some other examples of the dumper being used.
If you're not too put off by CLI tools, you might consider using this in conjunction with Didier's PDF tools. Didier's stuff is also in use by VirusTotal. That's not to say that one's better to use than the other...it's good to have both available.
While we're on the subject of document metadata, it's a good idea to mention Kristinn Gudjonsson, creator of log2timeline, also created the read_open_xml.pl Perl script for extracting metadata from MS Word 2007 documents (use and output described at the SANS Forensic Blog).
TechRadar
There's an interesting article up on TechRadar about how to perform a forensic PC investigation, and it references using OSForensics, available from PassMark Software. I have to say, I'm a bit concerned about articles like this, even when they suggest early in the article that performing the actions described in the article can be "a little morally dubious".
The beta of OSForensics was recently made available for a limited time, for free. However, that offer was originally made as "LE only", but seems to have changed recently.
OSForensics
It looks like the folks at PassMark Software removed the LE-only restriction for downloading the OSForensics beta, so I downloaded the 32-bit version to my XP system this morning.
After installing OSForensics and looking around (noticed the nice icons and graphics), I created a new case, and then began looking for a way to load a test image into the tool. I didn't have much luck, so I went immediately to the Help, which is provided online, in HTML format. I went through the index and found the word "Image", and from there found this:
In many cases it may be desirable to work with data from a disk image rather than the physical disk itself. Whilst OSForensics does not deal with disk images directly itself Passmark provides a set of free external tools in order to support working with disk images.
So, it appears that OSForensics is not intended for dead-box/post-mortem analysis. Some of the available tools, such as System Information and Memory Viewer, pertain to the system on which OSForensics is running. PassMark does offer the OSMount program, which allows you to mount a raw/dd image as a drive letter, and from there you can use OSForensics in the intended fashion. As such, I'd guess that there'd be no issues using any of the various other mounting techniques and tools, including accessing VSCs.
Of all of the functionality, the one that really jumps out is the hash set comparison tools. PassMark provides a number of hash sets for known-good OS files at their download site; however, as with any similar functionality based on hash sets, I can easily see how this can become cumbersome very quickly. You either scan for all of the hashes, or you run into issues with analysts deciding which hash sets to run, and (more importantly) documenting those that they do run.
OSForensics also provides string and file name search functionality, logging of activity, and the ability to install OSForensics to a USB drive. I'm sure that this tool will be useful to examiners; for my own uses, however, it simply does not provide enough of the core functionality that I tend to use during my examinations. As a test, I mounted a test image as a read-only F:\ drive and opened OSForensics, and I have to say, moving through the interface wasn't the most intuitive, or easy to use. However, I may be somewhat biased, given my experience and usual work processes.
No Alternative
Eric's got a rather insightful post over at the AFoD blog. More and more folks are getting into the cell phone and smart phone market, and those little buggers are really very powerful when you take a look at them. They also tend to contain more and more storage space. Of course, we need to keep in mind that the tablet market is still there in that space between the smart phone and the laptop, as well.
I can see where Eric's going with the post, but I have to say from the private/corporate perspective, this isn't such a huge issue. I would expect that if it ever does become and issue, it'll be an emergency (for legal/compliance purposes) and one-off, not something that gets done on a regular basis, with the cost of applications and training being amortized across multiple customers. However, from a public perspective, I can definitely see how this is going to be more and more of an issue...after all, how "gangsta" can you really be lugging around a Dell Latitude laptop?
Reading/Education
There are some great new resources over at the e-Evidence site, including stuff about MacOSX artifacts, iPhone and smart devices, Windows artifacts, etc. This site is always a great place to go and find lots of new and interesting stuff.
Network and Wireless
A question popped up on a list this morning regarding wireless assessments and tools. The original question asked about an alternative to NetStumbler, that supported a specific NIC, and the first response was for ViStumbler. ViStumbler is open-source and was originally written to be supported by Vista, but apparently runs on Windows 7, as well.
If you're doing any network forensics, you might also consider NetworkMiner as a viable resource, and something to add to your toolkit right alongside Wireshark.
Tool Sites
ForensicCtrl had a listing of free computer forensics tools available.
List of Windows open source tools
Check out the Collaborative RCE Tools library for a wide range of tools.
From over at RE Corner comes the PDF Stream Dumper tool; actually, this one has been out for some time now. This tool was written in VB6, and comes with a number of automation scripts. Swing on by Lenny's blog for some create examples of how to use it, or check out this KernelMode page for some other examples of the dumper being used.
If you're not too put off by CLI tools, you might consider using this in conjunction with Didier's PDF tools. Didier's stuff is also in use by VirusTotal. That's not to say that one's better to use than the other...it's good to have both available.
While we're on the subject of document metadata, it's a good idea to mention Kristinn Gudjonsson, creator of log2timeline, also created the read_open_xml.pl Perl script for extracting metadata from MS Word 2007 documents (use and output described at the SANS Forensic Blog).
TechRadar
There's an interesting article up on TechRadar about how to perform a forensic PC investigation, and it references using OSForensics, available from PassMark Software. I have to say, I'm a bit concerned about articles like this, even when they suggest early in the article that performing the actions described in the article can be "a little morally dubious".
The beta of OSForensics was recently made available for a limited time, for free. However, that offer was originally made as "LE only", but seems to have changed recently.
OSForensics
It looks like the folks at PassMark Software removed the LE-only restriction for downloading the OSForensics beta, so I downloaded the 32-bit version to my XP system this morning.
After installing OSForensics and looking around (noticed the nice icons and graphics), I created a new case, and then began looking for a way to load a test image into the tool. I didn't have much luck, so I went immediately to the Help, which is provided online, in HTML format. I went through the index and found the word "Image", and from there found this:
In many cases it may be desirable to work with data from a disk image rather than the physical disk itself. Whilst OSForensics does not deal with disk images directly itself Passmark provides a set of free external tools in order to support working with disk images.
So, it appears that OSForensics is not intended for dead-box/post-mortem analysis. Some of the available tools, such as System Information and Memory Viewer, pertain to the system on which OSForensics is running. PassMark does offer the OSMount program, which allows you to mount a raw/dd image as a drive letter, and from there you can use OSForensics in the intended fashion. As such, I'd guess that there'd be no issues using any of the various other mounting techniques and tools, including accessing VSCs.
Of all of the functionality, the one that really jumps out is the hash set comparison tools. PassMark provides a number of hash sets for known-good OS files at their download site; however, as with any similar functionality based on hash sets, I can easily see how this can become cumbersome very quickly. You either scan for all of the hashes, or you run into issues with analysts deciding which hash sets to run, and (more importantly) documenting those that they do run.
OSForensics also provides string and file name search functionality, logging of activity, and the ability to install OSForensics to a USB drive. I'm sure that this tool will be useful to examiners; for my own uses, however, it simply does not provide enough of the core functionality that I tend to use during my examinations. As a test, I mounted a test image as a read-only F:\ drive and opened OSForensics, and I have to say, moving through the interface wasn't the most intuitive, or easy to use. However, I may be somewhat biased, given my experience and usual work processes.
No Alternative
Eric's got a rather insightful post over at the AFoD blog. More and more folks are getting into the cell phone and smart phone market, and those little buggers are really very powerful when you take a look at them. They also tend to contain more and more storage space. Of course, we need to keep in mind that the tablet market is still there in that space between the smart phone and the laptop, as well.
I can see where Eric's going with the post, but I have to say from the private/corporate perspective, this isn't such a huge issue. I would expect that if it ever does become and issue, it'll be an emergency (for legal/compliance purposes) and one-off, not something that gets done on a regular basis, with the cost of applications and training being amortized across multiple customers. However, from a public perspective, I can definitely see how this is going to be more and more of an issue...after all, how "gangsta" can you really be lugging around a Dell Latitude laptop?
Reading/Education
There are some great new resources over at the e-Evidence site, including stuff about MacOSX artifacts, iPhone and smart devices, Windows artifacts, etc. This site is always a great place to go and find lots of new and interesting stuff.
Network and Wireless
A question popped up on a list this morning regarding wireless assessments and tools. The original question asked about an alternative to NetStumbler, that supported a specific NIC, and the first response was for ViStumbler. ViStumbler is open-source and was originally written to be supported by Vista, but apparently runs on Windows 7, as well.
If you're doing any network forensics, you might also consider NetworkMiner as a viable resource, and something to add to your toolkit right alongside Wireshark.
Tool Sites
ForensicCtrl had a listing of free computer forensics tools available.
List of Windows open source tools
Check out the Collaborative RCE Tools library for a wide range of tools.