int for(ensic){blog;} tag:computer.forensikblog.de,2010:/en//5 2010-03-11T15:00:34Z Notes on computer forensics - international edition. Movable Type 3.2 A non-empty NullType tag:computer.forensikblog.de,2010:/en//5.649 2010-03-11T15:00:00Z 2010-03-11T15:00:34Z The separation of content and structure along with the substitution mechanism is a core concept of the event log. The XML template contains placeholders, that are filled in from the associated slots of the record's substitution array. Whenever the slot... Andreas Schuster By Andreas Schuster
Copyright © 2010 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

]]> The separation of content and structure along with the substitution mechanism is a core concept of the event log. The XML template contains placeholders, that are filled in from the associated slots of the record's substitution array. Whenever the slot contains a NullType "value", the system suppresses the placeholder and its containing XML element. These NullType slots do not contain any data. At least that's what I thought for too long.

]]> The image below shows a part of a typical substitution array. The data has been interpreted by means of my template for the 010 Editor.

Common substitution array with an empty slot.

In this example slot #12 holds 12 bytes of data. According to the type identifier this data needs to be interpreted as a security identifier (SID). The following slot, no. 13, is to be interpreted as NullType. Also, it does not contain any data.

This exactly is what I've seen in countless records. Then Roberto De Vivo provided me with an event log that made my parser crash. Several substitution arrays in his file look similar to slot #4 in the following image.

This NullType slot holds data.

The length clearly is different from zero and the slot contains data. I found more non-empty NullType objects in the same file, some of them contain up to 16 bytes of data.

At first first I supposed that my understanding of the data type was wrong. So I let the Microsoft Event Viewer transform the records in question, but I couldn't find the "unsuspected" data anywhere in its XML output.

Further research is needed to determine what causes this "unexpected" data and whether it is of any forensic value.

]]> Tutorial on File System Analysis tag:computer.forensikblog.de,2010:/en//5.653 2010-03-01T15:00:00Z 2010-03-01T15:00:34Z I'm excited to announce that my proposed tutorial on file system analysis was accepted for the 22nd Annual FIRST Conference. I'm going to explain how to proceed when the usual tools like EnCase, FTK, and X-Ways Forensics are unable to... Andreas Schuster By Andreas Schuster
Copyright © 2010 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

]]> I'm excited to announce that my proposed tutorial on file system analysis was accepted for the 22nd Annual FIRST Conference. I'm going to explain how to proceed when the usual tools like EnCase, FTK, and X-Ways Forensics are unable to parse a file system.

]]> The whole course is themed around a multi-function device that could be found in an arbitrary office environment. The disk image will be made available to attendees.

Among the topics of the tutorial are:

  • know different partitioning schemes
  • locate partitions
  • core functionality of a file system
  • learn how to subdivide a partition into functional units
  • locate directories
  • interpret directory entries
  • reconstruct a file

I will demonstrate how you can improvise your own disk analysis tools using Python, SQlite and Gnuplot. And, of course, I will utilize 010 Editor to explore the various structures of the file system.

The tutorial will be held the last day of the FIRST Conference, which runs from Sunday June 13 to Friday June 18, 2010. More information is available from the official conference website. Registration is already open and early registration rates are available until March 31, 2010. See you in Miami!

FIRST 2010 Speaker

]]> Evtx Parser Version 1.0.3 tag:computer.forensikblog.de,2010:/en//5.650 2010-02-25T15:00:00Z 2010-02-25T15:00:34Z Version 1.0.3 of the Microsoft Vista and Windows 2008 Event Log parser is now available for download. As usual, it fixes some bugs and introduces new features.... Andreas Schuster By Andreas Schuster
Copyright © 2010 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

]]> Version 1.0.3 of the Microsoft Vista and Windows 2008 Event Log parser is now available for download. As usual, it fixes some bugs and introduces new features.

]]> As mentioned before, the integrity of file and chunk headers is protected by means of CRC32 check sums. The parser library now evaluates these check sums and the evtxinfo.pl sample program displays the results.

Hex digits are now shown in upper case to resemble the format of Microsoft's Event Viewer applet. This version fixes an error in the formatting of GUIDs.

Unfortunately I was not able to acquire test data for variant type 0x12. Therefore I decided to remove the handler module, Type0x12.pm.

The newly added file evtxsort.xsl provides a XML transformation to sort and normalize event log records.

]]> Test of Media Preparation Tools tag:computer.forensikblog.de,2010:/en//5.644 2010-02-23T15:00:00Z 2010-02-23T15:04:35Z NIST has tested hardware and software tools that can be used to wipe hard disks. Wiping tools are commonly used to clean temporary storage media. This can happen prior to an analysis in order to prevent data from an earlier... Andreas Schuster By Andreas Schuster
Copyright © 2010 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

]]> NIST has tested hardware and software tools that can be used to wipe hard disks. Wiping tools are commonly used to clean temporary storage media. This can happen prior to an analysis in order to prevent data from an earlier case to contaminate data that is currently under examination. Also, storage media are commonly wiped as soon as they are no longer needed in order to minimize the risk of data leakage.

]]> NIST has tested wiping devices and a popular boot CD.

WiebeTech Drive eRazer DRZR-2-VBND and Drive eRazer PRO are both able to wipe visible sectors. However, under some conditions the devices fail to clean sectors that are in a Host Protected Area (HPA) or Device Configuration Overlay (DCO). Please see the test report for a detailed description of the results. (PDF)

Voom HardCopy II does not support the ATA SECURE WRITE command. Therefore it has to overwrite sectors using the common ATA WRITE command. The tool succeeded in cleaning the test media. (PDF)

The popular boot CD Darik's Boot and Nuke 1.0.7 does not support ATA SECURE WRITE, too. According to the report, the vendor documents that the tool is unable to wipe secors in a DCO or HPA. Therefore these functions were not tested. (PDF)

]]> 010 Editor Version 3.1.0 tag:computer.forensikblog.de,2010:/en//5.647 2010-02-22T15:00:00Z 2010-02-22T15:00:34Z 010 Editor, a hex editor, became an indispensable tool to me years ago. I use it frequently when I'm analyzing files in depth. The authors have released version 3.1, which fixes a couple of bugs and introduces many new features.... Andreas Schuster By Andreas Schuster
Copyright © 2010 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

]]> 010 Editor, a hex editor, became an indispensable tool to me years ago. I use it frequently when I'm analyzing files in depth. The authors have released version 3.1, which fixes a couple of bugs and introduces many new features.

]]> I want to mention two of the new features, because they were on top of my wish list for a while.

The editor now natively supports UNICODE strings (wstring and wchar). Ugly workarounds are no longer needed, but I haven't updated my (public) templates.

The preprocessor now supports many directives like #define, #ifdef, and #else that are known from the C programming language. Please note that arguments to #include are now required to be enclosed in either angle brackets or double quotes.

The update to version 3.1 is now available for download from Sweetscape.

]]> How to Sort Event Records tag:computer.forensikblog.de,2010:/en//5.642 2010-02-08T15:00:00Z 2010-02-08T15:00:33Z In the course of time I found different tools to order event records differently. The Windows Event Viewer, for example, exports records from the highest to the lowest EventRecordID. My own tool parses an EVTX file from its beginning to... Andreas Schuster By Andreas Schuster
Copyright © 2010 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

]]> In the course of time I found different tools to order event records differently. The Windows Event Viewer, for example, exports records from the highest to the lowest EventRecordID. My own tool parses an EVTX file from its beginning to its end and emits event records as they appear in the file. In most cases this will be in the opposite direction, from the lowest to the highest EventRecordID. But to make things worse, logs can be configured to wrap around, so the record with the lowest number may be found somewhere in the middle. A tool to sort event records in XML format by their EventRecordID would come in handy!

]]> Fortunately the log file already exists in XML format. It should be easy to come up with an XML transformation to sort its records. An article by Bob DuCharme provides a great introduction and lots of sample code. In particular example xq437.xsl on page 3 looked promising to me. Now I only had to adjust a couple of element names and the namespace. Here's the final XSLT script:


<?xml version="1.0" encoding="UTF-8" ?>

<xsl:stylesheet version="1.0" 
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
  xmlns:evtx="http://schemas.microsoft.com/win/2004/08/events/event">
  
  <xsl:output method="xml" indent="yes" encoding="UTF-8"/>
  <xsl:strip-space elements="*" />
  
  <xsl:template match="Events">
    <xsl:copy>
      <xsl:apply-templates select="evtx:Event">
        <xsl:sort select="evtx:System/evtx:EventRecordID" 
          data-type="number" 
          order="ascending"/>
        </xsl:apply-templates>
      </xsl:copy>
  </xsl:template>
  
  <xsl:template match="*">
    <xsl:copy>
      <xsl:apply-templates/>
    </xsl:copy>
  </xsl:template>
</xsl:stylesheet>

You should be able to run it in any XSLT processor, like Sablotron, Xalan, or SAXON. I already had libxslt installed, so I used their xsltproc command line tool:
xsltproc evtxsort.xsl mylog.xml > mylog.sorted.xml
Now, event records are formatted nicely and appear in ascending order.

You can customize this script to your needs, e.g. sorting records in descending order, or sorting by EventID, or writing a summary report, or ...

]]> Evtx Parser Version 1.0.2 tag:computer.forensikblog.de,2010:/en//5.641 2010-02-04T15:00:00Z 2010-02-25T19:10:38Z Version 1.0.2 of the perl Evtx Parser library is now publicly available. This version fixes some bugs and introduces some small changes to the parser's architecture.... Andreas Schuster By Andreas Schuster
Copyright © 2010 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

]]> Version 1.0.2 of the perl Evtx Parser library is now publicly available. This version fixes some bugs and introduces some small changes to the parser's architecture.

]]> A couple of changes fix errors in the generated XML. Kristinn Gudjonsson pointed out that XML special characters were not quoted and provided me with a patch. Many thanks! While I was at it, I also removed excess terminators (null bytes) from strings. My sample files now pass the tests by XMLlint.

NullType objects in the context of a SubstitutionArray may now contain data. Don't worry if that doesn't make any sense to you. I'm going to describe my observations in a separate article. Thanks to Roberto De Vivo for the bug report and for providing me with a fascinating sample file!

There are also some minor changes to the parser's architecture. In the Chunk object, the stack of element names was replaced by a stack of pointers to the corresponding start elements. Closing elements (Node0x03 and Node0x04) now propagate their type back into the start element (Node0x01). This allows for the start element to produce the whole string. This facilitates using the Evtx Parser as a library from other tools.

Download the new version here.

Added 02/25/2010: Please see also the announcement of version 1.0.3.

]]> SANS Forensic Summit in London tag:computer.forensikblog.de,2010:/en//5.640 2010-02-01T15:00:00Z 2010-02-01T15:00:52Z On April 19 and 20, 2010 SANS will held their European Community Digital Forensics and Incident Response Summit in London, UK. Check out the agenda, there will be lots of interesting keynotes and briefings. I'm excited to announce that I... Andreas Schuster By Andreas Schuster
Copyright © 2010 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

]]> On April 19 and 20, 2010 SANS will held their European Community Digital Forensics and Incident Response Summit in London, UK. Check out the agenda, there will be lots of interesting keynotes and briefings. I'm excited to announce that I will present on the native format of Windows Event Logs on the second day.

]]> Evtx Parser Version 1.0.1 tag:computer.forensikblog.de,2009:/en//5.638 2009-12-22T15:00:00Z 2010-02-04T17:11:11Z Two years ago I released the first version of a parser for the binary, XMl-based event log file format of Windows Vista. During the last weeks I finally received some bug reports and feature requests. I'm excited to release an... Andreas Schuster By Andreas Schuster
Copyright © 2010 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

]]> Two years ago I released the first version of a parser for the binary, XMl-based event log file format of Windows Vista. During the last weeks I finally received some bug reports and feature requests. I'm excited to release an improved version just in time for Christmas.

]]> The most important changes are:

  • I removed a to restrictive constraint from the Node0x0d.pm module. The parser now responds more flexible to unknown data types. I wish to thank Rob Hulley and Adrian Forschner for their bug reports, sample data and continued testing.
  • The Evtx.pm modules now keeps track of the currently processed chunk. The get_current_chunk() method provides a pointer to the current chunk object.
  • The Evtx.pm and Chunk.pm modules now parse more values from the file and chunk headers. Thanks again to Rob Hulley for his patch.
  • A new sample program, evtxinfo.pl, displays these properties. In addition it lists the first and last event record number for each chunk. There are two sets of numbers: one refers to the examined file, while the other refers to the log channel.
$ ./evtxinfo.pl sample4.evtx 
Information from file header:
Format version  : 3.1
Flags           : 0x00000000
         File is: CLEAN
     Log is full: NO
Current chunk   : 2 of 16
Next Record#    : 5276

Information from chunks:
Chunk file (first/last)     log (first/last)     
----- --------------------- ---------------------
    1       4681       4976       4902       5197
    2       4977       5054       5198       5275
    3        593        888        814       1109
    4        889       1135       1110       1356
    5       1136       1431       1357       1652
    6       1432       1727       1653       1948
    7       1728       2023       1949       2244
    8       2024       2312       2245       2533
    9       2313       2608       2534       2829
   10       2609       2904       2830       3125
   11       2905       3200       3126       3421
   12       3201       3496       3422       3717
   13       3497       3792       3718       4013
   14       3793       4088       4014       4309
   15       4089       4384       4310       4605
   16       4385       4680       4606       4901

02/04/2010: Please see also the release notes on version 1.0.2.

]]> IWCF 2010 tag:computer.forensikblog.de,2009:/en//5.634 2009-11-04T15:00:00Z 2009-11-04T15:00:05Z The 4th International Workshop on Computational Forensics (IWCF) will held in Tokyo on November 11 and 12, 2010. The workshop does not just focus on computer forensics, but computational forensics, which according to the organizers is "the hypothesis-driven investigation of... Andreas Schuster By Andreas Schuster
Copyright © 2009 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

]]> The 4th International Workshop on Computational Forensics (IWCF) will held in Tokyo on November 11 and 12, 2010. The workshop does not just focus on computer forensics, but computational forensics, which according to the organizers is "the hypothesis-driven investigation of a specific forensic problem using computers".

The preliminary Call for Papers has been posted. Submissions are due June 25, 2010. Please see the conference website for further details.

]]> ENAC November 2009 tag:computer.forensikblog.de,2009:/en//5.633 2009-11-03T15:00:00Z 2009-11-03T15:00:20Z Cybex has published the November 2009 issue of their e-Newsletter on the Fight Against Cybercrime (ENAC). The newsletter covers various organizational, legal and technical aspects of Cybercrime and countermeasures. In the technical section of this issue Juan Carlos Ruiloba Castilla... Andreas Schuster By Andreas Schuster
Copyright © 2009 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

]]> Cybex has published the November 2009 issue of their e-Newsletter on the Fight Against Cybercrime (ENAC). The newsletter covers various organizational, legal and technical aspects of Cybercrime and countermeasures.

In the technical section of this issue Juan Carlos Ruiloba Castilla (Policía Judicial de Barcelona, Spain) discusses fast-flux networks.

]]> DFRWS 2010 tag:computer.forensikblog.de,2009:/en//5.629 2009-10-15T15:00:00Z 2009-10-15T15:00:04Z The next Digital Forensic Research Conference (DFRWS) will held from August 2 to 4, 2010 in Portland, Oregon. Ten years ago, DFRWS started as a workshop and over the years evolved into a conference, that brings together researchers and practitioners... Andreas Schuster By Andreas Schuster
Copyright © 2009 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

]]> The next Digital Forensic Research Conference (DFRWS) will held from August 2 to 4, 2010 in Portland, Oregon. Ten years ago, DFRWS started as a workshop and over the years evolved into a conference, that brings together researchers and practitioners from authorities and the private sector.

Let's celebrate the 10th anniversary with a stream of top-notch papers. The call for papers is open, papers are due February 28, 2010.

]]> OMFW 2010 tag:computer.forensikblog.de,2009:/en//5.632 2009-10-14T15:00:00Z 2009-10-14T15:00:07Z AAron Walters is planning an Open Memory Forensics Workshop (OMFW) for 2010. If you're into memory analysis, attending this workshop is a must! Please contact AAron for further details. (via Jamie Levy)... Andreas Schuster By Andreas Schuster
Copyright © 2009 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

]]> AAron Walters is planning an Open Memory Forensics Workshop (OMFW) for 2010. If you're into memory analysis, attending this workshop is a must! Please contact AAron for further details.
(via Jamie Levy)

]]> Upcoming Memory Analysis Training tag:computer.forensikblog.de,2009:/en//5.630 2009-10-13T15:00:00Z 2009-10-13T15:00:05Z I'm excited to announce that I will teach a two-day class on Windows memory analysis at the upcoming Hoffmann's Advanced Forensic Sessions. The sessions will held from November, 16 to 20, 2009 in Almere near Amsterdam. Other instructors will cover... Andreas Schuster By Andreas Schuster
Copyright © 2009 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

]]> I'm excited to announce that I will teach a two-day class on Windows memory analysis at the upcoming Hoffmann's Advanced Forensic Sessions. The sessions will held from November, 16 to 20, 2009 in Almere near Amsterdam. Other instructors will cover Microsoft Office file formats, the Apple Mac and iPhone, and advanced file carving techniques. Registration is still open, please see Hoffmann's web site for further information.

]]> The Microsoft Windows memory analysis class will provide you with an overview of memory acquisition tools and techniques. You will learn about the pros and cons of each technique, so you can chose the right tools and procedures for your specific environment. In the analysis part, I'll put a strong focus on the Windows NT object model. We will work with the Microsoft debugger and the Volatility memory analysis framework to view at the fascinating and complex world of Windows objects from a forensic perspective.

For a preview of what to expect, please have a look at my slides for a three-hour class held at the FIRST 2009 Conference.

Attendees will get:

  • a ready to run work environment, based on Volatility and a Linux virtual machine
  • a couple of brand-new Voaltility plugins
  • a selection of memory samples to work on
  • printed courseware and slides in PDF

Prerequisites:

  • bring your own laptop
  • at least 1 GB of RAM
  • at least 6 GB free hard disk space
  • either VMware player or VMware workstation
  • Microsoft Windows host OS recommended, Linux will do for most of the exercises
  • Microsoft Debugging tools for Windows
]]> Electronic Newsletter on the fight Against Cybercrime tag:computer.forensikblog.de,2009:/en//5.631 2009-10-12T15:00:00Z 2009-10-12T15:00:07Z The free Electronic Newsletter on the fight Against Cybercrime (ENAC) covers a variety of aspects, like the legal system and jurisprudence, data protection, upcoming events, but also technical aspects like computer forensics. The October 2009 issue (no. 4) is now... Andreas Schuster By Andreas Schuster
Copyright © 2009 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

]]> The free Electronic Newsletter on the fight Against Cybercrime (ENAC) covers a variety of aspects, like the legal system and jurisprudence, data protection, upcoming events, but also technical aspects like computer forensics. The October 2009 issue (no. 4) is now available for download (PDF).

]]> The project is funded by Cybex and the European Commission's Directorate General Freedom, Security and Justice, within the framework of the Criminal Justice 2008 Programme. The newsletter is published in English, Spanish and Russian.

Back issues are still available:

]]>