Friday, September 13, 2013

EnCase via RDP (part 2)

As you probably already know, Remote Desktop Protocol and Encase Forensic do not play well together in Windows 7, Server 2008, etc. As posted a few years agothere are a work arounds but none are perfect. Even buying the NAS licensing server has limitations.

...I spent weeks trying to figure out a true solution.Then randomly, out of complete nowhere, a co-worker one day sends an email to our team () saying "Hey, if you ever have this problem with Encase and RDP .. just do this..." I was shocked, amazed, but more importantly it worked!

Before you get started:
  • Note this program requires Administrative Rights to run!
  • Caution it requires User to Re-Login to RDP Session (user is not logged out)
  • Modified from and
  • I don't have time to support this but feel free to leave comments and I can see if my co-worker is interested in answering questions there.

1. Copy the text below into a text file
2. If you have EnCase installed somewhere other than the default location, you’ll need to update the section starting at line 23.
set encase_v6x32="C:\Program Files (x86)\EnCase6\EnCase.exe"
set encase_v6x64="C:\Program Files\EnCase6\EnCase.exe"
set encase_v7x32="C:\Program Files (x86)\EnCase7\EnCase.exe"
set encase_v7x64="C:\Program Files\EnCase7\EnCase.exe"

3. Save as "Start Encase.bat"
4. Just double click "Start Encase.bat" after connecting via RDP to the workstation.

Start Encase.bat:
@echo off

:: EnCase Starter from RDP Session
:: Author: ALG
:: DATE: 2013.03.06
:: Purpose: Fixes issue of EnCase starting in Acquisition Mode when executed from RDP Session
:: Caution: Requires User to Re-Login to RDP Session (user is not logged out)
:: Modified from
:: and

echo ## Definig Windows Version
find /i "6.0" "%temp%\ver.tmp">nul
find /i "6.1" "%temp%\ver.tmp">nul

title Choose EnCase Version to Start via RDP (Requires Reconnect to RDP Session)
:: EnCase Installations (Update to Install Location)
set encase_v6x32="C:\Program Files (x86)\EnCase6\EnCase.exe"
set encase_v6x64="C:\Program Files\EnCase6\EnCase.exe"
set encase_v7x32="C:\Program Files (x86)\EnCase7\EnCase.exe"
set encase_v7x64="C:\Program Files\EnCase7\EnCase.exe"
echo 1: EnCase V6 (32-Bit) [%encase_v6x32%]
echo 2: EnCase V6 (64-Bit) [%encase_v6x64%] 
echo 3: EnCase V7 (32-Bit) [%encase_v7x32%]
echo 4: EnCase V7 (64-Bit) [%encase_v7x64%]
echo ---------------------------------------
echo Type EnCase Version ID (above) or Full Path to EnCase.exe
echo Type R to refresh user list
echo Type Q to quit
set input=R
:: Prompt for Install
Set /P input=
if /I %input% EQU Q goto END
if /I %input% EQU R goto USERS
if /I %input% EQU 1 set input=%encase_v6x32%
if /I %input% EQU 2 set input=%encase_v6x64%
if /I %input% EQU 3 set input=%encase_v7x32%
if /I %input% EQU 4 set input=%encase_v7x64%
set path=%input%
goto USERS

title Users on Localhost
qwinsta /server:localhost
echo Type Session ID of current RDP session
echo Type R to refresh user list
echo Type Q to quit
set input=R

:: Prompt for Install
Set /P input=
if /I %input% EQU Q goto END
if /I %input% EQU R goto USERS
set session=%input%

title Disconnecting User
tscon %session% /dest:console
echo Log off in process
echo .

START /b "" %path%

cd %systemroot%\System32
if /I %CD% EQU %systemroot%\System32 goto MENU1
goto ERR1

title Error
echo This program requires Administrative Rights to run!
goto END


Thursday, July 25, 2013

New weapon, Emailtime!

I often rely on timelines to tell the story. However it’s imperative to understand how the story was constructed to do this effectively.

Thanks to tools like log2timeline and plaso it’s easy to create timelines! Like any tool it’s helpful to understand how these work.  I am not implying you need to start brogramming, but you should at least learn the capabilities of the tools. This primarily requires understanding what input modules or parsers are available (and how they are invoked). If you’re relying strictly on timelines for analysis this knowledge should enable you to understand if the "entire story” is being told.

For instance, according to the timeline below, on March 4, 2012 at 00:28:17, a Windows Application (McAfee) Event Log entry was created. The description of this event states “The Scan was unable to scan password protected file\\2011-W2.pdf. Scan engine version used is 5400.1158 DAT version 6498.0000.”

Looking at the context of this event I don’t see any notable activity that could be contributable to the source of this event log entry. However, taking a step back from this timeline example, knowing what I am NOT seeing could equally important to what is shown…

According to a 2012 Trend Micro report, Spear-Phishing Email: Most Favored APT Attack Bait, “91% of targeted attacks involve spear-phishing emails, reinforcing the belief that spear phishing is a primary means by which APT attackers infiltrate target networks.” Thus adding e-mail as a source in a timeline might be insightful.

As displayed below, seconds before the event log was created, an e-mail was received. This e-mail contained the attachment “”.

Now you probably want to know how e-mail magically appeared in the timeline above? At the SANS #DFIRSummit I introduced a new cmdline tool called Emailtime. The purpose of the tool is to create log2timeline CSV format timelines of PST files.

The tool was written in Python and is packaged as an EXE for distribution. It requires you to download the Developers version of Redemption as a dependency first. Oh, and run the Redemption installer as Administrator.

Special thanks to Steve Gibson (@stevegibson) the ninja for helping pull this tool together. Note the tool is super ALPHA/BETA/WHATEVER so use at your own risk. We look forward to bug reports and feedback. I already have a short list of “to do” items including adding time zone offset and MSG support but didn’t want it to hold back releasing any further.

The usage of the tool is pretty simple:

emailtime.exe -p -e -H -F -S

Additionally, as shown in the examples below it has some neat filtering capabilities. This allows you to target e-mails of relevance quicker based on e-mails that contain keywords, attachments, and/or hyperlinks.


Export all emails:
emailtime.exe -p "c:\outlook.pst" -e "c:\report\output.csv" -H "mycomputer"

Filter emails with hyperlinks only:
emailtime.exe -p "c:\outlook.pst" -e "c:\report\output.csv" -H "mycomputer" -F hyperlink

Filter emails with hyperlinks and attachments only:
emailtime.exe -p "c:\outlook.pst" -e "c:\report\output.csv" -H "mycomputer" -F hyperlink attachments

Filter emails containing string evil only:
emailtime.exe -p "c:\outlook.pst" -e "c:\report\output.csv" -H "mycomputer" -S evil

Provided the output of Emailtime, a log2timeline CSV file, you can import it to a new 4n6time database for review (File > Create Database).  Alternatively, you can append it into an existing timeline database to overlay it with other timelines (File > Append Database).  

Wednesday, May 1, 2013

Melting snow, flash floods, and only a new 4n6time release ;-)

So where ever Kristinn Gudjonsson lives, there are apparently Flowers, blossoming trees and a new plaso release. That must be really nice. In Chicago we still have melting snow, flash floods, and only a new 4n6time release ;-)

For anyone that saw me speak at the HTCIA conference in Minnesota a few weeks ago, you know I am VERY excited about the new version of 4n6time (and some other soon to be released tools to make your timelines epic!). Months of development and user feedback have been put into this release. There’s really too much to list about "whats new", so here’s a few of my favorite improvements:
  • Updated plaso engine to version 1.0.1-1 (alpha) – As Kristinn pointed out the latest version of plaso has many new enhancements and features. Also included are 2 new parsers contributed by me (thank you Kristinn for the help), Symantec AV and Google Drive!
  • Control plaso with a mouse! – Create your timeline(s) using a simple yet comprehensive user wizard. Create a timeline from a disk image, mount point, directory, CSV file, or body file! Also take advantage of plaso’s amazing file filtering and pre-filtering capabilities.
  • Tabbing – Because one timeline is never enough you can now view and jump between multiple timelines (subsequent to filtering) in tabs within the data grid view.
  • VirusTotal integration – In addition to right clicking on an event and Viewing it with a external file viewer, MD5 hashing it, or exporting it, you can now check to see if it’s a known file in the VirusTotal database (provided an internet connection).
  • Speed – The tool has more or less been completely refactored. It is 5x faster. This includes opening saved database files instantly (no more loading!).
  • GUI –  Enhanced User Interface, charting, filtering tricks, and reporting.
  • So much more!!!!
It was almost a year ago, at the SANS DFIR summit, when Rob Lee gave me the opportunity to introduce 4n6time (then “l2t_Review”) to the community. I only had 360 seconds to show off the hundreds of hours of personal time I spent learning and developing the initial proof of concept.

Almost a year later, I am overwhelmed by the response from the community. 4n6time has been nominated for the 2013 forensic4cast award for the “Computer Forensic Software of the Year” and there are hundreds of folks using the tool all over the world. This has made every minute working on the project all so worth it.

As always, this project would not be possible without the existence and contributions to timeline creation tools. Special thanks to Kristinn Gudjonsson, Joachim Metz and others for development on log2timeline and now Plaso. Also a special thanks to Eric Wong who has been assisting me with the development these days.

You can download the latest Windows version of 4n6time (0.4) on Google Code.  Note you do not need to request a new cert file if you are an existing user, you can simply transfer your old cert file over to the new version following the directions in the FAQ. The FAQ is also a useful place for other common questions and getting started information. If you are completely new to plaso and/or 4n6time you may also want to check out the article Kristinn and I co-authored in issue 15 of Digital Forensic Magazine.

As always happy to answer any questions and look forward to receiving feedback as development starts on the next release.


-David Nides (@DAVNADS)

Tuesday, January 8, 2013

My Windows 8 DFIR Reading List

Below is my reading list for Windows 8 DFIR. I suspect it’s only a matter of time until everyone sees a hard drive with Windows 8. If you have any other resources to add to the list, feel free to drop a comment and I'll add it to the list.

Windows 8: Important Considerations for Computer Forensics and Electronic Discovery

Windows 8 Forensics - A First Look (ForensicFocusVideos)

Forensic Artifact: Malware Analysis in Windows 8

Windows 8 Forensics: USB Activity

Champlain College Windows 8 Forensics 3 Part Series

Windows 8 Forensics: Reset and Refresh Artifacts

Windows 8 Forensic Guide

Ken Johnson's Research