WFA 2/e Book Review
Peter Sheffield posted a review of WFA 2/e over on the SANS Forensic Blog. What can I say, besides, "Thanks, Peter!" I really appreciate it when folks let me know what they think of the book, or the tools, but I appreciate it even more when they do so publicly, like what Peter did. Such things really help the sales of the book. More importantly, it's beneficial for me to see that others in the community have found the work and effort put into the books to be useful or valuable.

Quote
I received the following quote from Chris Perkins, CISSP, ACE (Hujarl), Digital Forensic Investigator, along with his authorization to share it:

Some years ago while at a tech conference I ran across your first edition of the Windows Forensics Analysis book. On my return flight I read it cover to cover, and read the Registry Analysis chapter twice! I had an interest in the forensic space previous to this experience with my work as a security analyst, but your book spurred my interest even further and helped drive me towards my current career.

Fast forward to today and I am still referencing that great book frequently in my work as a Digital Forensic Investigator. It is well worn and dog-eared throughout.

In addition, your RegRipper tool is used constantly in my investigations, especially in Intellectual Property work. The beauty of the tool is its quick, clean text reports and flexibility for additional plug-ins based on specific needs. It can be verified directly with other tools and methods, which is very necessary process to validate the data.

Thanks so much for the great work!

Thanks, Chris, for your words, as well as for allowing me to share your comments publicly.

MS goes Open Source
Microsoft recently released a tool for viewing the content structure of PST files called the PST Data Structure View Tool, or pstviewtool. MS has also released the PST file format SDK. These releases follow MS's release of the .pst structure specification earlier this year, and make it easier for programmers to access the contents of PST files without having to have OutLook or Exchange installed.

Date Formats
Working on writing recently, I've been trying to figure out where a good place is to fit in a discussion or even just state, "here are date formats used by MS". The Old New Thing blog has a very good post on time stamp formats. One that isn't mentioned in the post is the 128-bit SYSTEMTIME format; this one is used in Scheduled Task .job files, as well as in several Registry keys that have to do with wireless access on Vista and above. Please don't think that that's a complete or comprehensive list of where the date format is used in Windows...it's only two places that I'm aware of, and there are likely others.

Metadata
I've recently seen and received a number of questions about Office 97-2003 metadata date formats, what the date values refer to (GMT vs. local system time), and where they're located in the binary format. Well, MS was nice enough to publish the formats, which you can use to verify findings from other tools. Click on the link in the "Date Formats" section above, and you'll see that the OLE date format is different from other formats, particularly the more recent Office (2007, 2010) formats.

User Account Analysis
The issue of user account analysis comes up time and again, and I thought that this would be worth repeating. I've seen the question of the "password not required" flag and what it means come up in various forums, most recently in the new RegRipper forums. I understand that this can be a bit tough to grasp, so I'd like to post it again.

With respect to the "password not required" flag in the output of the samparse.pl plugin, what I got from someone at MS is as follows:

That specifies that the password-length and complexity policy settings do not apply to this user. If you do not set a password then you should be able to enable the account and logon with just the user account. If you set a password for the account, then you will need to provide that password at logon. Setting this flag on an existing account with a password does not allow you to logon to the account without the password.

I hope that helps those of you doing analysis.

CyberSpeak
Ovie (sans Bret) has posted another CyberSpeak podcast...check it out!

TSK/Open Source Conference
Just a reminder about the TSK/Open Source Digital Forensics Conference coming up on 9 June! Check out the presentations!

SANS Forensic Summit
The SANS Forensic Summit is coming up, 8/9 July! Check it out!

According to the Chinese Zodiac, the Year of 2010 is the Year of the Tiger, which commences on February 14, 2010 and ends on February 2, 2011. The Tiger is the third sign in the Chinese Zodiac cycle, and it is a sign of bravery. This courageous and fiery fighter is admired by the ancient Chinese as the sign that keeps away the three main tragedies of a household. These are fire, thieves and ghosts. . .

Just as how their counterparts in the jungle are impulsive, so too are individuals born in the Chinese Year of the Tiger. When people think of tigers, it is their vigor and power that comes to mind first. But it has also been noted that tigers are known to share and are unselfish animals. The reason people admire the tiger is due to the fact that they are ferocious and domineering on the outside, but they are just as noble and distinguished on the inside. These are the same personality attributes that persons will have who are born in the Year of the Tiger.

People that are born in the Year of the Tiger are generally well liked because of their charismatic personalities. Often, failing at a given duty or being unproductive in his personal or professional life can cause a Tiger to experience a deep sense of depression.A Tiger is always at their happiest when they endeavor to climb the ladder of success. Attaining the top spot is his foremost purpose; being in a position of power is her ultimate goal. They are quick learners, need to be challenged and often prefer to work alone. Some Tigers tend to change careers more frequently because they get bored quite easily. They are natural born leaders and perform at their best if working towards positions of power and influence. So once there is no further room for progression, they will often move on to something else. [The rest at Year of the Tiger.]

From Chinese Fortune Calendar:

 2010 is Year of Tiger and it will arrive on February 4, 2010. Many people must be eager to know they have better luck in the coming year than 2009. Here, we want to use Chinese Astrology Five Elements (Metal, Water, Wood, Fire and Earth) theory to explain people fortune in 2010 and foresee what will be happening to them in year of Tiger.

According to Chinese Five Element Astrology Calendar, 2010 is the Year of Metal Tiger . Gold is related to Metal and money. People who like to talk about wealth will say that 2010 is a Golden Tiger year. In Five Elements (Metal, Water, Wood, Fire and Earth)  theory, the color representing metal is White. Therefore, we also can say that 2010 is the Year of White Tiger. The White Tiger is connected to the symbol of jinx in China history. Some Chinese might consider that 2010 White Tiger is a bad year.

Chinese Astrology is a Balance Theory of Five Elements. Each animal can be converted into Five Elements. Tiger contains Mainly Wood, Fire and little Earth. Wood and Fire together will make Fire stronger. Metal is afraid of Fire and Metal is also against Wood. That means Metal and Tiger together will fight each other, which implies 2010 won't come quietly and peacefully. We can image that 2010 is a Tiger wearing armor. This Tiger doesn't like armor on the top its body and keeps jumping around. For safety, we should keep our distance from it. That's why many Chinese don't like White Tiger.

Tiger has the potential to become vigorous, ferocious and cruel. So Tiger is a symbol of power and authority. This kind of personality is good for the leadership. With the inflexible and destructive personality, Tiger has very poor people relationship, especially, with family members. In traditional customary, Chinese family don't invite people born in year of Tiger to involve private wedding ceremony. [the rest at Chinese Fortune Calendar]

Last night at a talk, I took three video clips. The first one was fine (well, fine for a small digital camera in a room with a thin sound system.) The second clip had a strong buzz, like the camera had a motor, which blocked what I was trying to record. And the third clip was fine again. This has never happened before on this camera and I have no idea why this happened. I certainly didn't hear any difference in the room and I don't think I did anything different.

Then this morning I turned on the AM/FM receiver (yes I know I'm still in the dark ages) and got this:



I'm sure you're saying, "yeah, so what?" Well, the light in there has been off for at least six months or more. We've learned to find channels without seeing any sort of information. We were resigned to the slow deterioration of our sound source. We didn't know it was just on vacation. Again, we didn't move anything, didn't try anything new or different. It just turned on today after months of black.

YouTube from adelfred.
[Update: I've added some context to this in the next post. And if you follow the link to Blowin in the Wind, you can see Peter, Paul, and Mary 30 or 40 years earlier, singing one of the most important anthems of the civil rights movements.]

I figured you weren't likely to come back looking for it, and if you did, you weren't likely to find it. So I took it in hopes Google might help. Not really. Maybe I should try Yahoo. Anyway, I've got it. Go into my profile and email me.

Note to the reader, and to self: This topic is more than likely going to be spread out over several posts, as the information develops...

As I've been working on the second edition of Windows Forensic Analysis, as well as working my own engagements and assisting with others, I've been doing some serious thinking about timeline analysis. Well, to be honest, I'm not so much bringing this up myself as sort of adding to what Michael Cloppert posted on the SANS Forensics Blog. Michael wrote the ex-tip tool and a really great paper about it (basic concept, design, etc.), and I've been doing some thinking about this very same subject over the past couple of weeks/months, particularly after exchanging some emails with Michael and Brian Carrier. Apparently, others have been thinking about this subject, as well, including our friend HogFly (see his excellent Footprints in the Snow post).

A lot of my thinking along these lines started with Brian Carrier's TSK tools (also available for Windows) and the fls tool he wrote which created a body file from the file system in the image. I had thought about writing a tool or adding the capability to RegRipper to report data in a format that could be easily added or appended to a body file and then included in the parsing process used by mactime or ex-tip. Mike included this sort of capability as a plugin to ex-tip, but it simply retrieves the LastWrite times of all of the keys and doesn't provide the level of context or data reduction available through something like RegRipper (or rip.exe). Like Mike, I also started looking at other sources of data, including parsing Event Logs with evt2xls and incorporating that information directly into timeline analysis.

However, it occurs to me that a couple of modifications to the current processes for collecting and parsing the timeline data can lead to improvements in the overall process, including presentation and reporting of the collected data, taking it beyond mactime's text-based output.

For example, what defines an event in a timeline? At the least, if you're only looking at data from a single system, you need a point in time (say, normalized to the Unix epoch as a means of standardization) and a description of the event. If you move to incorporating additional sources (network traffic captures) as well as data from additional systems, you need to include source (i.e., Registry, Event Log, AV logs, etc.) and host (system NetBIOS or DNS name, IP address, MAC address, etc.) information, and possibly even user (username, email address, SID, etc.) information.

Taking this a step further, for the purposes of data reduction, you might want to define a span event, as opposed to a point in time...rather than listing a tremendous number of file access events due to an AV scan, why not simply define the AV scan as a span event, and remove the various points? Or, parsing the Event Logs, you can define a span as the time that a system was running or that a user was logged in.

So at this point, an event structure might look something like this:

Type - Point or span; can be represented as a binary (1 or 0) value

Time - MS systems use 64-bit FILETIME objects in many cases; however, for the purposes of normalization, 32-but Unix epoch times will work just fine

Source - fixed-length field for the source of the data (i.e., file system, Registry, EVT/EVTX file, AV or application log file, etc.) - (may require a key or legend)

Host - The host system, defined by IP or MAC address, NetBIOS or DNS name, etc. (may require a key or legend)

User - User, defined by user name, SID, email address, IM screenname, etc. (may require a key or legend)

Description - The description of what happened; this is where context comes in...

I think you can see how this opens things up a bit to allow for other sources of data. Not all of the fields in the structure need be present; again, a time and a description are enough to define an "event" for a timeline.

What about representation and reporting of the data? Text-based or even a spreadsheet might be nice for some data representation, but something graphical may be more appropriate when working with larger data sets. Presentation means such as Zeitline, EasyTimeline, and Simile Timeline (Jerome has some additional information on manually adding events to Simile) are available, each with their own strengths and weaknesses. However, I've found that for both analysis and presentation to an end user (i.e., customer, etc.) a graphical approach can be very useful.