Thursday, 21 January 2010

TIM released - first test

Tableau have released their Tableau high performance software imaging product today.

To install it you first must have installed the latest Tableau firmware updater. Once installed the interface is fairly simple to use. I found some of the terminology in the GUI a bit odd. For example the types of compression selectable for Encase e.01 files are No Compression, Fast Compression or Good Compression whilst Encase provides the options none, good or best. It seems that fast maps to good and good maps to best. There also does not seem to be the ability to actually name the created e.01 files- just their containing folders, again a little strange.

Now as far as performance is concerned in our environment it is slightly faster. We image to a mapped network drive on a san across a gigabit ethernet network. I imaged a Hitachi 80GB sata laptop hard disk via a Tableau T35i write blocker using FTK Imager 2.5.5 using the Encase e.01 format - imaging completed in 51 minutes. Using TIM to image the same drive took 44 minutes. In both cases maximum compression was selected. Obviously at this stage this testing is far from scientific but TIM seems to be between 10 to 15% faster. I will report how it goes on with larger 3.5 inch sata hard drives later.


Thursday, 7 January 2010

C4P, MySQL and Windows 7

I can just about remember the thrill of upgrading to a new OS. When I was the new kid on the block I couldn't wait to upgrade from Windows 98SE to XP Pro (somehow we missed out Windows ME). Anyhow the newer kids on the block have migrated to Windows 7 (it is prettier, more stable, blah blah). Now I am a dinosaur with XP Pro 64 bit!

Anyway I had a call today about getting various aspects of C4P to play nicely with MySQL on a Vista 64 bit box. In our office we don't actually use Vista on any of our forensic boxes so I thought I'd check out the issues on one of Windows 7 64 bit boxes. As you know (because if you are still reading this you probably use C4P along with a MySQL DB) C4P interacts with the MySQL database in two areas:

  1. within Encase at Enscript level if the pre categorization option is selected
  2. or via Data Migration/ Special/ Update Case Direct from C4P Hash Database within the Categorizer for Pictures program itself.

Both of these connections require an MySQL ODBC connector driver to communicate with the running MYSQL C4P hash database using a suitable database connection string. Essentially in this scenario we have a choice of four MySQL ODBC drivers:

  1. MySQL ODBC 5.1 64 bit
  2. MySQL ODBC 5.1 32bit
  3. MySQL ODBC 3.51 64 bit
  4. My SQL ODBC 3.51 32 bit

All bar the 3.51 64 bit driver are installed via a Windows installer. The 3.51 64 bit driver is slightly trickier to install - you need to unpack the zip, run a command prompt as administrator, navigate the command prompt to your unpacked zip folder and then run the command

Install 0


Enscript level communication

At Enscript level it is possible to modify the database connection string which allows you to specify which ODBC connector driver to use. In testing on a Windows 7 64 bit box I have found that both the 3.51 and 5.1 64 bit drivers work (if the drivers fail you generally get a long unintelligible error message). The C4P 4.02 enscript allows the user to configure their own database connection string. The string that works for me is:

Provider=MSDASQL;DRIVER={MySQL ODBC 3.51 Driver};SERVER=Your_server_name_or_IP_address;DATABASE=c4p_hash;UID=c4p_user;PASSWORD=password;OPTION=3

Simply change 3.51 to 5.1 if you are using the later driver.

Categorizer for Pictures communication

The database connection string used by this program is hard coded and not user configurable. The program requires the 3.51 driver. However I could not get the Data Migration/ Special/ Update Case Direct from C4P Hash Database option to work on the Windows 7 64 bit box using the 3.51 64 bit driver. I suspect this is due to a permissions issue and tried to run C4P as administrator but I still failed to connect to the MySQL C4P hash db. However I was able to get the Data Migration/ Special/ Update Case Direct from C4P Hash Database option to work using the MySQL ODBC 3.51 32 bit driver.

Conclusion

Other combinations may work but on a Windows 7 64 bit box I recommend installing the MySQL ODBC 5.1 64 bit driver and the MySQL ODBC 3.51 32 bit driver to get C4P and the C4P graphics extractor enscript to play nicely with the MySQL C4P hash database.


Tuesday, 5 January 2010

Web Browser Session Restore Forensics

As this is the first post of the year I would like to wish you a happy new year.

The posting title is the title of an excellent paper written by Harry Parsonage relating to Session Restore files created by the latest Mozilla (Firefox) and Internet Explorer 8 browsers. These files may contain enough information to allow the browser to display a users workspace exactly as it was prior to a forced restart. Obviously these files may contain significant evidence. I am not going to steal Harry's thunder so download his paper from http://computerforensics.parsonage.co.uk/other/other.htm

I know that Harry is not keen on blogs simply regurgitating information found elsewhere so I will try and add a little value.

Safari v4
Session Restore functionality is now a must have in modern browsers. Another browser to have similar functionality is Safari v4. The last session information is contained in a file entitled LastSession.plist

In Mac OSX 10.6 this file is stored at /Users/<user name>/Library/Safari

In XP this file is stored at C:\Documents and Settings\<User name>\Application Data\Apple Computer\Safari

I use the mac application - property list editor to review plists, there are windows applications to do this as well.

Firefox v3.5.6 running in Mac OSX 10.6
Harry's paper applies here in the main.

The sessionstore.js file is stored at /Users/<User Name>/Library/Application Support/Firefox/Profiles/XXXXXXX.default