Friday, January 29, 2010

Exchange 2007 Collections ....ugggh!

Once upon a time, DAV NADS was collecting mailboxes from a 64-bit Exchange 2007 server environment (LOL!). I wanted to take a moment to highlight a few things I learned that I hope you may find helpful.
  • “ExMerge” no longer exists. As of 2007, this functionality has been integrated into Exchange’s Management Shell Cmdlet’s (available in SP1 and SP2).
  • Cmdlets is NOT compatible with 64-bit servers ONLY 32-bit. I will describe a “work-around” I used in detail below.
  • The CMD you will need to know and use is called: Export-Mailbox.
  • One notable advantage of “Export-Mailbox” over “ExMerge” is it does NOT have issues exporting mailboxes over the 2GB PST limit.
  • Export-Mailbox will include “Dumpster” data on Exchange 2007. On Exchange 2010 is does NOT…!
  • Just like ExMerge, before you can use Export-Mailbox, you need the proper account rights.
    1. Local Administrator rights.
    2. Exchange Server Administrator Role on the target Exchange 2007 mailbox server.
    3. Full access to the mailboxes against which the import/export operation is run.
  • It is quite cumbersome, but STILL possible to install Exmerge on a client machine and connect to Exchange 2007 remotely. A tutorial on this procedure is here:

The work-around I followed to the 64-bit limitation was quite simple:

1.       Because I could not export to PST but still had the ability to export to a mailboxes, we created a “dummy” mailbox and exported to this mailbox. For example, the below command will export ALL e-mail from the “” identity to the “MyData” folder in the “DummyMailbox”.

     Export-Mailbox -Identity -TargetMailbox DummyMailbox -TargetFolder MyData

2.       After we exported the data to a “DummyMailbox” we authenticated to the mailbox with Outlook.

3.       Manually created a new  “Local” Outlook Data File (PST file).

4.       Manually copied over all e-mail from the Exchange “DummyMailbox” to the “Local” PST file.

Now, if you are working with a 32-bit Exchange server, this is the command you need to use to export the contents of a Exchange mailbox to a local PST file:

    Export-Mailbox -Identity -PSTFolderPath C:\PSTFiles\davnads.pst

Dav Nads the Exchange Guy.

Tuesday, January 26, 2010

Don't go fishing for server data.. Just ask Dav Nads!!!

No one likes to go fishing for data, so this is the basic list of information I request from IT administrators before I start cutting data!! If you don't get answers, check out this secret millitarty instructional interrogation video on water boarding. I'm just saying!

1.) Listing of Active Directory and/or User Names for all Custodians.

2.) For all Custodians, a Permission listing of all Personal and Group Shares they have write-access to (i.e.: Custodian Dav Nads has write access to directory ABC on the File Server XXX).

3.) Lotus/Exchange Mailbox name(s) for all custodians (i.e.: DavNadz.nsf) and servers they reside on.

4.) If possible, Local and Admin  Security ID files and passwords to access the respected custodian’s local and server mailboxes.

Always catching and never fishing,


Monday, January 25, 2010

"Dav" + "Nads" = "Dav Nads" - Use excel to CONCATENATE!

CONCATENATE is the method of joining two or more text strings into one text string.

The syntax in Excel 2007 is: CONCATENATE (text1,text2,...)

Text1, text2, ...   are 2 to 255 text items to be joined into a single text item. The text items can be text strings, numbers, or single-cell references.

Always saving time,

Dav Nads.

Thursday, January 21, 2010

Nads does HFSX with Encase

Encase does NOT support the OS X Extended (HFSX) file system... but it's on the feature request list!! So leave it to Dav Nads to find a workaround. It's not what I would call a forensically sound procedure, but if you document it, this 3 step hack may be what it's worth.

1. Convert your image over to a RAW format like DD.
2. Fire up a Hex Editor 
3. Modify 2 bytes in the 3rd sector of the HFSX partition by changing the second byte of the sector from a 'x' into a '+' and changing the byte value of the 4th byte from \x05 into \x04.

Congratulations. You just changed the HFSX partition into a HFS Plus (HFS+) partition... which Encase readily supports :-)

NOTE this little byte swap is not the only difference between the two files systems! For instance, HFSX supports case sensitivity so Encase may not properly handle file names (i.e.: Evidence.txt vs. evidence.txt). This means proceed with your own Nads.

Your welcome,

Dav Nads

Wednesday, January 20, 2010

Dav the Data Carver Nads (from Carver County, MN)

Two products I wanted to give a shout out to this week are in result to a recent initiative involving the recovery of video fragments from unallocated space. File Salvage ($89.95) for the Mac's and Stellar Phoenix ($69.99) for the PC's.

Overall, I was surprisingly impressed with my experience and results. Both tools were straight forward and simple to use. From a technical perspective, I liked how both products integrated a categorized predefined signatures list into the User Interface. So I was quickly able to identify file signatures pertaining to my request. Additionally, both tools allowed me to preview results and selectively export them.

On the not so great side, I found there was a few discrepancies between what the manufactures stated on their website and what was provided. For example, it was stated that File Salvage supported (DD, E01, NTFS, HFS, etc..) and actually it only supported whole-disks or mountable DMG files. So I had to use FTK Imager to converter my E01 to DD and then rename the DD to a DMG. Also, note that this does not work on segmented files.

Another thing I would like to note is when reviewing corrupted and fragmented video files, some viewers work better then others... I had bad luck using the standard Windows Media Player, good luck using Windows Media Player Classic, and THE BEST luck using VNC player. Using a combination of all three viewers was what I found the ultimate solution.

Also, something unique pertaining to this request was that file volumes were requested for any recovered data. In respect to files that where “partially” recovered, the file volume (MBs) would be reported on the basis of what could be recovered. In most instances this value can be assumed to be less than the “original”.

A more precise estimate of the “original” file volume can be calculated based on the meta data value of video length. For instance, a partially recovered video is 2 minutes in length and 10 MB in volume. However, the files meta data value for video length is 20 minutes. Therefore, you could assume 10 MB /2 mins  = approximately 5 MB per 1 minute frame. So the actual movie size would be more like 100 MB.

Enough said,

Dav Nadsss

Thursday, January 14, 2010

Working with Lotus Notes...

So let’s start with the BASICS here… what the heck does a NSF file stand for and what does it DO? Notes Storage Facility and it is used primarily for E-MAIL (and other stuff)...!! Kind of like a PST or OST!

Now since we have taken care of that, let’s jump into the common types of security and protection we commonly encounter while handling NSF files in an OFFLINE environment… As outlined below, there are 3 major classifications, Local Security, Local Encryption, and Message Level Encryption.

The first step is to identify how a NSF file is protected, if protected at all. Now, this sounds like a simple task but it’s actually quite tedious and can be the utmost challenging part… Let’s take a look at the options.

Common sense says “Hey, let’s just crack open a duplicate/working-copy to see what happens?!” Actually, this is not a bad idea... Based on the error message you receive alone, if any, you can instantly determine how a NSF file is protected! For example;

"You are not authorized to access that database", and fails to open, means you’re dealing with Local Security.

"This database has local access protection & you are not authorized to access it locally”, and fails to open, means you’re dealing with Local Encryption.

Unfortunately, there’s no way to determine if Message Level Encryption is in place based on opening the NSF file alone. Since it’s the actual message is encrypted vs. the container itself.

When is this NOT such a great idea? How about when you have 2,000 NSF files to analyze!! So, there are two alternatives that I’m aware of...

One, just push all the messages through your “processing tool” of choice and hope to G-d it has intelligence (like Dav Nads!) smart enough to report on exceptions. In other words, what it couldn’t process due to errors or security protection. This can then be analyzed on a file by file, case by case, basis as outlined above.

The second option is to automate this process with a bit of scripting. Again to my knowledge there are no tools on the shelf that will do this stand alone. But let’s just say I know it can be done pretty easily because I have seen a proof of concept for this. Feel free to ping me for more info but in a nutshell you just need to know how to query the ACL table.

So now before we jump into how to resolve these types of protection and encryption, let’s briefly explore how they work…

Inside of a NSF file is an Access Control Levels (ACL) table. These settings control the type of actions a user can perform on the contents of a database and on the database itself. Access levels range from Local Encryption, which encrypts the database, No Access, which prevents a user from opening a database without proper credentials, to Manager, which lets a user read, create, and edit the ACL and all documents in the database. Further details on these setting can be found at IBM.

So in summary, ACLs limit access to the NSF files. The ACL define what actions each type of user is allowed to take.

Finally, here are the options available to remove these types of protection/security:

Local Security

1.      Use the associated ID File and Password to manually remove the ACL permissions protecting the NSF file.

2.      What happens if you don’t have it? Use a Lotus Notes local security removal tool.  For instance, Securase,  removes local security from NSF files. It's simple to use and helps you save time running around trying to find the correct user id and password to open a local NSF file.

Again this process, can be automated :-)

Local Encryption

1.      Use the associated ID File and Password combination to manually remove the ACL permissions encrypting the NSF file.

2.      What happens if you don’t have the password? Well, here a little trick that works sometimes… when a user is prompted change their password from the default to their personal, it does not change the actual key used for encryption.

Therefore, the ID file that the admin generated the day the employee started or the local ID file, with the default password of 'password1', or the user's last name, or whatever the admin likes to use, will still decrypt the NSF file that is protected by the new, unknown password.

3.      Despite what some tools claim, there are no tools that will “magically” decrypt encrypted Lotus Notes Databases. However, Access Data’s Password Recovery Toolkit will brute-force attack the ID file. I have never successfully accomplished this but in theory it should work. Just might take some time :-)

Message Level Encryption

With the exception of asking for the password or brute-force attacks, I’m not aware of any way to challenge message level encryption . Please help me out with this if you can!!

Yours Truly,

Dav Nads

Friday, January 8, 2010


... scored 11/10 on the "Cables, plugs, wires, cords...that connect your TV, audio, computer, and iPod" TEST. If you think you got SMARTS about computer forensics this is where is all starts... LEARN THE SYSTEMS, LEARN THE SOFTWARE, then ya got SYNERGY. The boss once put it like that ;-)

check it OUT! 

Thursday, January 7, 2010

Dear PhotoShop, Thank You for makin the prettiest Dav Nads in the Planet

Dear Gizmodo,

These photochop girls look GrEaT! But I'm REALLY looking forward to the sexiest man in the planet contest starring... DAV NADS!!

"What would happen if Angelina Jolie and Chalize Theron had a baby with Megan Fox, Monica Belucci, and twelve hot actresses? I don't know if this would be the result, but I'd like to
watch them try." ThiS IS wHAT would HAPpEn...

Tuesday, January 5, 2010


By creating a new folder in Windows 7 and renaming it with a certain text string at the end, users are able to have a single place to do everything from changing the look of the mouse pointer to making a new hard-drive partition.

The trick is also said to work in Windows Vista, although some are warning that although it works fine in 32-bit versions of Vista, it can cause 64-bit versions of that operating system to crash.

To enter "GodMode," one need only create a new folder and then rename the folder to the following:

Sunday, January 3, 2010


twistin joysticks, rolling trackballs N' pushing big buttons. my handle is nads and i work the sketch pads. flip that switch, wack that biatch, this aint no computer glitch. im simpimply a boy genious that plays the keyboard...