Tuesday, December 22, 2009

US airforce p'owned with $26 data carving tool... LOL!!!

It was reported last week by a number of sources, that Iraqi insurgents found a way to INTERCEPT airplane (and drone) video feeds with $26.00 SHAREWARE software...LOL!!!! The software in the spotlight is called SkyGraber. Essentially, this is just a little data carving tool... It connects to your satellite connection and carves out known file types from the air. One just happening to be unencrypted video feeds! The best thing to compare it to is a network sniffer.

The amazingly insecure protocol the government uses is called: Remotely Operated Video Enhanced Receiver (ROVER). This technology was deployed in 2002, "Since then, nearly every airplane in the American fleet - from F-16 and F/A-18 fighters to A-10 attack planes to Harrier jump jets to B-1B bombers has been outfitted with equipment that lets them transmit to ROVERs. Thousands of ROVER terminals have been distributed to troops in Afghanistan and Iraq..." -Wired.

An encryption package can be added to the ROVER; however, not all troops have the encryption package. The latest ROVER model being tested by the Pentagon comes equipped with two advanced encryption packages. Sources report, an official document puts a completion date to secure the feeds by 2014 :-/

...Not to mention, this all came to about, when the military kept finding hours and hours of it's OWN surveillance videos from computers it was imaging out in the field...



Monday, December 14, 2009

NEW Advanced Format gives ya 11% MORE capacity on your Hard Drive!

Western Digital has a fancy new way to format hard drives. This consists of changing your hard drives sector size to 4KB that uses a pooled Sync/DAM header and ECC blocks.

Wednesday, December 9, 2009

Dav Nad's on Sharing ;-)

A situation arose yesterday where a deliverable, Microsoft Office Excel workbook, needed to get out the door under a tight deadline. I had a team of 5 resources at my disposal to assist with the project. However, given the nature of the complexity and manual task at hand, it would have just made things more time consuming and convoluted by delegating work out to each resource. So I thought to myself it would be amazing if we could put this workbook in a neutral location where we could all work on this task collectively and see each other’s changes and monitor progress.

So I recalled that Microsoft Office 2007 had the capability of doing this. So I took the workbook, placed it on file server that resides on our LAN that everyone has access to. I then “Shared” the workbook to the specified “users” I wanted to delegate “write-access” to and setup the settings associated with how to save and update the changes within the workbook. In all, this process took me about 10 minutes to setup and test.

The end result was this amazing feature allowed me to delegate work efficiently while maintaining a management oversight. Work Smarter not Harder with Sharing!

Thursday, December 3, 2009

Encase and Windows 7, Server 2008

The Remote Desktop Protocol and Encase Forensic do not play well together in Windows 7 and Server 2008.

The traditional fix to this in XP and Server 2003 was to use the MSTSC command with a /console flag (or /admin for later service packs) to carry out console mode. However this does not work anymore. So I did a little research...

It's stated on Guidance's website that  "EnCase is not officially supported running over Remote Desktop due to the manner in which the Remote Login Account is given access to the System devices". A discussion with one of their support representatives and some messages on their forum in fact further confirmed that Encase has never supported RDP (in any of their releases).

BUT, Guidance then goes to say in the same article that "IF the RDP configuration does not work the only alternative is to purchase the SAFE NAS (Network Authentication Server) to license EnCase over the network." Well, if that's not a contradicting statement, I don't know what is! So they are saying its not supported but if you want to make it work you can BUY something they sell to make it work? As a user this makes me shake my head and as a shareholder, I would be lying if I said I wasen't smiling :-) 

Some say this is a licensing strategy, a method to prevent multiple users from using multiple instances of encase off of one license. But I don't see how that type of "abuse" is even technically possible under the current limitation of RDP and Encase only working in console mode. So I don't buy that really. I think the reason it does not work in Windows 7 and 2008 server is because of something that has changed in the O/S. I'm not sure what this is but I'm going to look into it.

So here's a solution I purpose to Guidance. Migrate over to a system like Access Data's License Manager and Code Meter dongle (hold on, did I just say something good about AD?). With Access Data's License Manager system a user has the ability to transfer/update licenses from and to their dongles. Ideally, one could use a dongle normally and then if one wanted to use RDP, they could migrate their license over from the dongle to the NAS Safe. Then vice versa. Damn I think that is genius! LOL But this would sure make people happy!

Well enough of that, here's something good. I have 2 round about workarounds for Win 7 and 2008 Server to get RDP working -

  1. Disable Fast User Switching, Disable User Account Controls, start up your instance of Encase Forensic, open your case up/start your processing. THEN, remote in using the "mstsc /admin" command and log in as the same user you have an instance of Encase already running under. This works.
  2. Now, you can always use a VNC or PCAnywhere application to accomplish this as well. Works like a charm.
But neither of these are practical solutions. Welp, back to XP for me!

Dav Nads

- Posted using BlogPress from my iPhone

Did ya know this?

In Windows Vista and 7 when using device manager to do a "full format" it will actually zero out the drive. That's a legit REAL wipe! "Quick format" remains the same, it only wacks out the volume boot record.

Sounds like an easy way to wipe hard drives :-) I'm curious how fast it is?


Dav Nads
-from my iPhone

Wednesday, December 2, 2009

SharePoint Collections can be tricky!

I had an opportunity to collect data from a Microsoft SharePoint (SP) server yesterday... Sounds ez, right? Sure it should be with all the top-notch vendors out there that have integrated SP connectivity into their e-Discovery products...   Kazeon Systems, KPMG, KrollAvePoint, Autonomy to just name a few (click on the links to go their press releases).

Well what happens when the SP server you are collecting from is not in a live production environment... In fact, it’s just a dusty old’ .E01 (Encase format) image of a system you collected a year ago?

…Well based on my market research, there's not much out there that’s going to be able to help you. Nonetheless, I can't imagine there even being a demand for this type of one-off collection in the market place. So on that note, here is some food for thought and research about the various collection approaches of SP databases under these unique circumstances.

Approach 1: Leverage virtualization technology by using Liveview and VMware Server to boot the image natively. Subsequently, start the SP services, and remotely collect site(s) with any one of the widely available tools listed above. Well, hold your horses their speedy!! This sure sounds like a great approach; however, you need to take account for a number of variables that make this approach a tad bit complicated. To name a few:
  • Does the image consist of a physical or logical acquisition? If it’s logical, yup move onto approach two, can’t boot that up one up.
  • Is it physical? Well is it a RAID..? Yeah, can’t boot that up either without a serious fight, move on to approach two.
  • Is the image segmented… or in the wrong format? Start merging/converting those files.
  • Don’t know the password to log into the system? Eh, you can try to crack it.. with a boot CD.
Approach 2: Extract relevant SP data from the image and implant it into a existing controlled SP environment. First step here is to crack that image open and start identifying some significant information.
  • What version of SP and SQL is installed? This can generally be found by looking in the registry or associated “program files” directory.
  • What are the SP files I’m looking for? Each SP database is identified by two files: the database file, which has a .mdf filename extension, and the transaction log file, which has a .ldf extension.
  • Where are the SP files stored? If you have a default Windows SharePoint Services installation, the database files are in the \Program FilesMicrosoft SQL Server\MSSQL$SHAREPOINT\Data directory. You will typically find the following 4 files in that directory:
    1. STS_Config.mdf
    2. STS_Config_log.LDF
    3. STS_Computer_Name_1.mdf
    4. STS_Computer_Name_1_log.LDF
Now that you have identified the various databases and configuration files, extract them from the image.

The next step is to install the same version of SP, SQL, and operating system that is found in the image file on a computer/server in your controlled lab environment. This might be overkill but effective!

Generally after you get things installed, you will need to turn off SP services, disconnect the default database, copy over the extracted files and do the switchero. Then, start the services back up and connect the database. This process is well documented in Microsoft’s TechNet article. Keep in mind that you may need to repair the database because it may not have been properly detached during the point of collection and in result corrupted.

Approach 3: Let’s say that neither approach worked out. Well I’m going to assume you successfully extracted the relevant SP data (as outlined in Approach 2) from the image. Given that assumption, download the Sharepoint 2003 and 2007 Database Exporter tool. This tool allows you to point to a SP database, view contents, and export. An alternative tool is called SharePoint Database Explorer and SPExport which does the same thing. Both solutions are well documented.

Approach 4 - Catch All: If all else fails, go back to the damn live server and recollect!!

For all four of the approaches outlined, I strongly suggest to validate and perform quality control testing.

-Dav Nads

Tuesday, December 1, 2009

knock knock

phish, snort, spoof, tunnel, boom, p'ownd! dav nads is knocking while that firewall trying to be blocking. logged in as root and out with the loot. my intrusions make illusions cause your vulnerabilities compile my credibility's. alwayz leaving traces from outer space, with null to chase, dnads plays hide n go' seek for the geeks :-p

Thursday, November 26, 2009

Linux, Mount them segmented DD file Images!!

To mount split/segmented DD files in Linux you can use the "mdadm" command along with the "losetup" command.  For example, if I have six split image files in a directory called Images:

losetup /dev/loop0 /mnt/Images/image.000
losetup /dev/loop1 /mnt/Images/image.001
losetup /dev/loop2 /mnt/Images/image.002
losetup /dev/loop3 /mnt/Images/image.003
losetup /dev/loop4 /mnt/Images/image.004
losetup /dev/loop5 /mnt/Images/image.005

The command to mount it would look like this:

mdadm --build --auto=part -verbose /dev/md1 --level=linear -n6 /dev/loop[0-5]

If you are mounting a hard drive with two partitions, partition1 is on "/dev/md1p1" and partition2 is on "/dev/md2p2".

-Dav Nads

Sunday, November 22, 2009

Call the Paparazzi... COFEE was LeAkEd!!

OMG is right..!! Microsoft's super-secret Computer Online Forensic Evidence Extractor ("COFEE")  available to Law Enforcement only, was leaked into the torrents last week... LOL! ABOUT TIME IS ALL THAT I HAVE TO SAY!

It was about a year ago when I first heard about this tool. The press releases poured COFEE out like this..

"With COFEE, law enforcement agencies without on-the-scene computer forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence. An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device. This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer.

The fully customizable tool allows your on-the-scene agents to run more than 150 commands on a live computer system. It also provides reports in a simple format for later interpretation by experts or as supportive evidence for subsequent investigation and prosecution. And the COFEE framework can be tailored to effectively meet the needs of your particular investigation."

To say the least, the tool was intellectually intriguing. I WANTED A COPY for Chanukah!! Unfortunately, I couldn't have one because I was not in Law Enforcement and was living in China at the time (without a whole lot to do). So, I decided to do some research and start programming a COFEE of my own :-) Well, that turned into a long drawn out project called BOOP. I'm saving BOOP for a later date and blog entry of its own.

As for COFEE, let's say I saw it!!! My thoughts, It's nothing but a simple GUI wrapper for a # of Microsoft SysInternal, Windows XP, and other misc. freeware command-line tools. It facilitates batch execution of these utilities and customized payloads. It does not even include a tool to dump physical memory. Honestly, looks like a amateur high school programming project. I had dreams of it being stealthy, sexy, ninja like, super secret, high tech, and a ultimate computer forensic swiss army knife. As I'm sure you can tell, I feel really disappointed and let down here. I think the last time I felt this way was when my girlfriend cheated on me. LOL. 15 MB of trash pretty much sums that tool up.  Thanks Microsoft, for ruining my life. Now, back to whole-disk imaging computers.
-This one is for my high school programming class .

Dav Nads

Tuesday, November 17, 2009

OSX Mail and E-Discovery ..

Whats up NERDZ! Did ya miss me?? Since I wrote about OSX last week, I thought I would keep things in the ROM... LOL! I'm starting to see more and more Macs in the field and less and less "know how" out in the field to deliver! By no means do I claim to be a expert BUT my first computer was a Apple 2E, second was a Performa 410 and third was a power Macintosh 6400. So I'm just saying... Ms. Apple and I have a little history together :-p

I want to talk about OS X mail here. This is a subject that I feel is not well documented in the community as it pertains to e-Discovery. The fact is I don't know ANY end-to-end e-Discovery appliances/and or solutions that properly handles and processes OSX mail in all variations and native formats. This means I find myself MANUALLY migrating OSX mail to our dear all mighty PST quite frequently. In this blog, I will explore the various common formats of OSX mail and options available to migrate your data to PST format. Ultimately, meeting the requirements and working within the limitations of our e-Discovery software.

In OS X 10.3 (Panther), all messages for each inbox, are stored in .MBOX format. All you need to do is identify these and convert to PST with your favorite MBOX to PST migration utility. It's that simple! I suggest using Aid4Mail and exercising the option to "recover deleted items". Remember it's important to preserve file structure during export and migration.

One of the most compelling reasons to upgrade to OS X 10.4 (Tiger) is because of it's amazing indexing and search features. Apple's Mail.app leveraged this powerful searching ability with Mail 2.0. However, to allow for speedy indexing and searching of e-mails via Spotlight, Apple had to split those large .MBOX files into individual .EMLX files. So you will find ONE .EMLX file for EVERY e-mail. These EMLX files are stored, by default, in the following location. Note that multiple users may have mail accounts.


Now there are a few options to migrate .EMLX files over to the "other side". The first approach, use a e-mail migration utility of your choice to migrate the data.  Again, Aid4Mail does a good job at this. This approach assumes you have already exported your data (maintaining file structure) or mounted the image.

The second approach takes into account that some e-Discovery software WILL accept .EML as a valid message type input format. Also, let's be honest, who wants manually convert each extention for every email. Not me!! So lets do this this...

If your on a Mac: Launch the Terminal, change into the directory the .EMLX files are located (ie. cd ~/Library/Mail/) and execute this command to batch rename all the files:

for file in *.emlx ; do mv $file `echo $file | sed 's/\(.*\.\)emlx/\1eml/'` ; done

If your on a PC: Launch DOS, change into the directory the EMLX file are located, and execute this command to batch rename all the files:

ren *.emlx *.eml

.EMLX and .EML are transparent in format because the messages are stored in pure plaintext. Therefore, renaming the file extension, as demonstrated in the above approach, works great if your software supports the .EML format.

NOW off to the races, what happens if the custodian uses IMAP? In addition to seeing .EMLX files you will see .EMLXPART and  PARTIAL.EMLX files. That's a total of three file formats that are used to manage IMAP accounts. That means there are now four file formats you need to take account to during your identification phase. Let's examine these two new formats, .EMLXPART and PARTIAL.EMLX.

An emlxpart file is an attachment, either an image, a document or an HTML version of a message. It doesn’t contain the metadata which is included in an emlx file. This means attachments are stripped from .EMLX files and stored separately as these emlxpart files. It's file name is same number as the corresponding emlx file. For example, Cybergirl223 sends me a picture of her today. Her message is locally cached in my Mail folder as 473.emlx and the attachment as 473.2.emlxpart. Make sense?

In IMAP accounts, a third file type, partial.emlx,  also sometimes appears. This is for partially locally-cached copies messages on the IMAP server, saved for indexing or something.

Migrating these 3 files is a little more time and resource consuming as some of the other approaches. This consists of two steps; Migrate everything to MBOX and the secondly migrate the MBOX to PST.

To start, there is only one tool that I'm aware of that entirely migrates .EMLX, EMLXPART, and PARTIAL.EMLX files while persevering folder structure and attachments. This tool is called "Emailchemy" and can be purchased here: http://www.weirdkid.com/products/emailchemy/index.html

After you have converted to your loose e-mail files to MBOX, then again use your tool of choice (I think you know what mine is by now) to migrate to PST.

Well that's all I have on this topic. Make sure you account for all four file types discussed; .MBOX, .EMLX, .EMLXPART, and PARTIAL.EMLX  during your identification and/or pre-processing phases - then migrate over accordingly :-) Also, remember the importance of verifying your results when migrating data. I like to tell people if you migrate A to Z you should be able to migrate from Z to A. This is one of simplest  forms of logic and basic validation.

hope u enjoyed, all the best, dnasty

Wednesday, November 11, 2009


24" inch rims and 240-pin DIMMs. spinning platters and pullin magnetic chatter. flying down the system bus i hit the i7 with thrust. some say i overclock but i know its cause i aint stock. my case flowin liquid and your girl blowin somethin, dav nads be energy efficient while your girl being coefficient. from the circuit boards to the cords, u get outscored. nibble on nads just dropped banner ads!

Mac Parallels

When i aint speaking dictionary attacks or prefetching unicode on the snatch. I'm actually working on the blog. my bouyie, Christian Lander, got a job too. he's droppin text like "Stuff White People Like" where # 40 is a shout out just for Apple Macs. So, heres one for ya -

E-discovery - HOW tO get my f#$%ing data out of Mac Parallels!!!

The most "popular" format of virtual storage is VMware's .VMDK format. Encase does a great job at supporting these in native format by automatically mounting em. However, what about the not so cool formats like Parallels? Well Guidance has it on their far future "feature request" list at number 4,332,545 (guessestimate) to support it sometime in the near future.

Now the big question is how do you get that data out?? Here are my notes on a couple of approaches:

1.) Manually identify the .HDD and .PVS file extensions associated with the Parallels application in your case. Create a file-ext condition in Encase to accomplish fast and efficiently.

HDD ext - During the creation, the virtual machine acquires a virtual hard disk file with the .hdd extension.

PVS ext - A virtual machine configuration file that contains information about the virtual machine resources, devices and other settings.

Don't see those, but you are seeing .HDS files? you can rename these to HDD. Check out this good tutorial. 

2.) Extract relevant Parallels data to your work space while preserving folder structure to avoid file name collisions.

3.) Install Parallels on your examiner machine.

A free 30 day demo is available at http://download.parallels.com. Don't ask me this voids some EULA bs cause whatever - just saying yo. If all possible, install a version consistent with the custodian's machine. You can check version by analyzing the .PLIST and/or .PDF user manual artifacts found in the Parallels application folder.

4.) Parallels has developed a special utility for increasing the virtual hard disk capacity and managing its properties - this tool is called Parallels Image Tool.exe and is included with a standard install.

5.) You will need to use this tool to change the properties of your .HDD file. Execute, select "manage..", point to your .HDD file, and convert to plain format.

...This will change the file from a expandable image format to raw disk type.

6.) Rename the extension of the .HDD file to a .VMDK and bring into encase as a loose file. Whalaaa you should see data!!? Otherwise you can use a free program like ImDisk to mount the converted hard disk image. This even has support for "read-only" mode.

FYI - this is just one approach and just like FTK, it does not always work.. Lol! For obvious reasons, there are technical limitations and variables in the above example that will cause issues. Another tool you can use, with newer versions of Parallels disk formats, is the VMware Converter. Similarly, this tool allows to migrate virtual hard drives from one format to another.

So you have FAILED.. and never want to use a Mac again at this point. Here's another approach soldiers:

1.) Blow out your image to a physical hard drive using the tool of your choice. I like DC3DD whooohoo

2.) Now attach this external hard drive to your Mac examiner machine as a slave. Boot to this hard drive instead of the primary hard drive. Boot options are made available by holding down the options key at start up.

3.) So now you just booted into your custodians machine. Sweeeet! The cool thang about Mac's is they don't nearly require the degree of driver support that PC's do upon start up. Mac's have a very transparent set of drivers between all of their products. So you can practically use any Mac machine (at least consistent with chip sets) to boot native.

4.) Now you may get stuck at the login password because you don't know the custodians password. If this is the case, it doesn't hurt to just ask for it DERRRR! If you need to reset it, then use the OS X restoration DVD. You can figure it out.. just GOOGLE IT! Just beware you will need the OS X recovery disk paired with the installation version.

5.) Once you get in, boot the virtual machine(s) normally and acquire using a live-image tool. I like throwing FTK imager lite on a thumb drive, adding it as a read-only device into the virtual machine, and porting the image over to a saved network share location or external data source. As always, just document your shiat.

Update (12/6/2009): Just in, thanks to Beatle over at forensicfocus.com, another approach, try UFS Explorer . I have not tested, but it is documented that this software will to read into the Parallels image file and allow you to mount the file system locally with read-only access. If you have experience using this software, I would be interested to hear your feedback.

As always, these are just some of my notes. Test, validate, document, your work!

Tuesday, November 10, 2009

its good

we aint be airing for 24 n i aready gotz stalkers. girlz be bookmarking n crackers be marking. cut paste copy erase. dnads is a polymorphic strand that aint loosing system command. i'm shootin tripple DES while y'all still bootin 95. nibble, nobble, nads gets in with a snort and out with a port. ya better run update cause dav nads don't procasanate. stay tuned for more stringing accsi

Monday, November 9, 2009

ctrl alt del.. P'0wned!! DAV NADS iz ONLINE!

Wazzzzzzap! I'm werking on layin down some HUGE tricks fo' my blog project includin: hardddcore digi FORENSICS, e-discovery "where the MONEY is @", reverse engineering for snitching, , reality TV and some NEWS.

BUT Rigt' now.. put yo PC on deep freeeeze and MACs 2 sleepz! cause I'm working! spread the word that DAV NADS is ONLINE aND be bloggin' ritee HERE. www.http://davnads.blogspot.com. this the REAL thing y'all!