tag:blogger.com,1999:blog-5057815281194312844.comments2023-06-26T11:24:51.659+01:00Forensics from the sausage factoryDC1743http://www.blogger.com/profile/14186532367794900206noreply@blogger.comBlogger166125tag:blogger.com,1999:blog-5057815281194312844.post-23508005636785554672015-03-17T09:58:55.039+00:002015-03-17T09:58:55.039+00:00Thank you Richard, worked a treat and the instruct...Thank you Richard, worked a treat and the instructions were extremely clear.<br />David Brownnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-50946849039588472042015-01-29T10:50:56.265+00:002015-01-29T10:50:56.265+00:00Hi Richard - just spied this on a google search - ...Hi Richard - just spied this on a google search - could you send me a copy? david.g.lewis@uk.tesco.com<br /><br />Thanks.<br /><br />LewyAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-58057784069443042882014-09-28T21:51:50.672+01:002014-09-28T21:51:50.672+01:00Thank you kind sir or madam for your research - it...Thank you kind sir or madam for your research - it helped me a lot!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-58696840538998778142013-10-23T10:22:01.383+01:002013-10-23T10:22:01.383+01:00Very good.
How did you identify the distro which ...Very good.<br /><br />How did you identify the distro which had the drivers for HP controllers?guinoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-25689886459142515622013-10-23T10:21:06.923+01:002013-10-23T10:21:06.923+01:00Very good.
How did you identify the distro which ...Very good.<br /><br />How did you identify the distro which had the driver for the HP controllers?<br /><br /><br /><br /><br />guinoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-53838544605461141242013-08-24T12:32:37.536+01:002013-08-24T12:32:37.536+01:00I followed this and got very confused when I got t...I followed this and got very confused when I got to the rational hex. Great tutorial otherwise. One thing to note, when you look for an offset from MM (4D4D), I found I had to look for a relative-offset with a decimal number e.g relative offset 594. If I tried looking for relative offset 0x594, it messed up. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-2826291607576138772013-06-28T16:10:05.431+01:002013-06-28T16:10:05.431+01:00I know it's well after the fact, but I looked ...I know it's well after the fact, but I looked these up on Win7, and they have an entirely different format now...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-59475722510103625882013-03-12T11:39:06.829+00:002013-03-12T11:39:06.829+00:00Interesting article.
Where did you get the ideas f...Interesting article.<br />Where did you get the ideas from?Belushihttps://www.blogger.com/profile/05601755010019066815noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-54093878500583609082013-03-05T04:33:00.572+00:002013-03-05T04:33:00.572+00:00I've always used the exif extractors to find t...I've always used the exif extractors to find the GPS info. Good to know internal details. Nice writeup.satishb3http://www.securitylearn.netnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-5387215911666861522013-01-21T10:42:30.719+00:002013-01-21T10:42:30.719+00:00There is a free tool for mapping shadow copies @ h...There is a free tool for mapping shadow copies @ http://code.google.com/p/shadow-map/shooflypiehttps://www.blogger.com/profile/06925882757010789490noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-35586168847273082482013-01-09T16:08:13.910+00:002013-01-09T16:08:13.910+00:00You can use dd & gzip and just pipe them both ...You can use dd & gzip and just pipe them both through SSH.<br /><br />dd if=/dev/sda | gzip | ssh user@backup.remotehost.com dd of=/backup/drive.img.gzAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-17317325516442024052012-05-15T12:54:07.155+01:002012-05-15T12:54:07.155+01:00Excellent post
Just a bit of fine tuning...
Woul...Excellent post <br /><br />Just a bit of fine tuning...<br />Would it be possible to run the stream through a compression tool like gzip before piping it over the network then decompressing it at the other end before storing it. <br />It may seem like a lot of trouble but if the bottleneck is the network transfer rates then piping less data over it may speed things up even more. I suspect that processing speeds to compress/decompress will easily keep up (unless the server is really old)<br /><br />PaulAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-10024596983338884232012-02-11T15:53:29.822+00:002012-02-11T15:53:29.822+00:00You can also use this technique to view the blob d...You can also use this technique to view the blob data in a sqlite database, once you have exported the table containing the data to a format recognized for import by mysql. It's a great workaround if you don't have a commercial tool that will allow you to view the sqlite db natively. Using phpmyadmin will also render encoded html within the datafields when a table is viewed in a web browser. Great post!Tom Harperhttps://www.blogger.com/profile/08988204624285498870noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-56987676151251305252012-02-09T00:49:07.719+00:002012-02-09T00:49:07.719+00:00Good to see you back Richard. Would there be a way...Good to see you back Richard. Would there be a way of mass exporting the blobs as files, similar as to what you can do with sqlite files using the method outlined in Zdziarski's iPhone Forensic book?<br /><br />I'm surprised to see a software product still using mySQL! Thought everything would be Oracle or sqlite now.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-24135384527996807922012-01-22T01:10:29.027+00:002012-01-22T01:10:29.027+00:00To clarify, shadow copies in Vista and Win7 are ve...To clarify, shadow copies in Vista and Win7 are very useful for forensics but only provided that you are aware how they work. A "shadow copy" when first created is not really a copy of anything but just a set of pointers back to the real drive. Then, as blocks are overwritten, the original data (as at the time of the "snapshot") is stored in the diffs file.<br />Once it has stored a particular 16k block in the diffs file, Snapvol knows it does not need to store another copy if it changes again - it only cares about the contents at the time of the snapshot.<br />For efficiency, one of the developers of Snapvol told me that it does not bother to preserve the content of blocks which at the time of the snapshot were marked as free space, or those which were used by the swap file or hibernate file. So, as you noted, a search of "free space" in the shadow copy is pointless, as it will just show the current contents of that area of the drive. There is also a registry key which lists other files (such as Temp file) that should be treated the same way - not exactly sure how this is implemented but it seems that it marks any 16k block which is only occupied by these files as if it were free space.<br /><br />Although Microsoft's documentation is silent or misleading (for example saying that previous versions of users files are only stored in Vista Business and above). The System Protection shadow copies contain the entire drive in all versions of Vista/Win7 including Home editions. So anyone trying to "secure erase" incriminating files will likely be unaware that he just copied them to the diffs file for you to find.<br />Finally a very nice feature of Shadow Copies is that they may enable you to find the file name and path of objects of interest that you first found using a scan of free space.PC Guru Austin TXhttps://www.blogger.com/profile/08726392024685446749noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-48601179808301830812011-10-13T14:49:54.577+01:002011-10-13T14:49:54.577+01:00Thank you very much.You just have jailed one pedop...Thank you very much.You just have jailed one pedophile.<br /><br />Best regards from Banja Luka.<br />BojanBojanhttps://www.blogger.com/profile/11473754625835574823noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-42267855044807779262011-09-01T10:12:48.844+01:002011-09-01T10:12:48.844+01:00Although this post is somewhat dated now, I would ...Although this post is somewhat dated now, I would just like to say thanks... I continue to use this methodology and its helped in countless cases.<br /><br />Keep up the good work.<br /><br />IanAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-47330945438662400492011-05-11T03:37:06.028+01:002011-05-11T03:37:06.028+01:00Great work on these database files. I wish I had t...Great work on these database files. I wish I had this a month ago when I was digging through the same processes to carve out records from unalloc.DBChttps://www.blogger.com/profile/07469238510438525565noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-90432840689409994872011-05-10T21:20:11.794+01:002011-05-10T21:20:11.794+01:00This comment has been removed by the author.Pernillehttps://www.blogger.com/profile/00142118912883771649noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-52760914903873957622011-05-05T18:54:08.938+01:002011-05-05T18:54:08.938+01:00Thanks Richard,
I didn't read the SQL record f...Thanks Richard,<br />I didn't read the SQL record format paper through the first time. I just finished working on a 'variable length integer' decoder function - nightmare! <br /><br />Regards,<br />JamesAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-52679985910629035202011-05-05T18:09:31.011+01:002011-05-05T18:09:31.011+01:00Great post. Thanks for taking the time to post th...Great post. Thanks for taking the time to post this and the previous one. I just finished working a case involving an iPhone and this has helped explain things. I may actually go back and take another look at it.<br /><br />-SteveAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-58314445576173108182011-05-04T23:02:40.616+01:002011-05-04T23:02:40.616+01:00With regards to the chrome example your Huffman de...With regards to the chrome example your Huffman decoding is incorrect. Because 0x81 is greater than 128 you have to take into account the next byte 0x11. Call these bytes x and y and use the formula (x-128) x 128 + y to calculate N.<br /><br />(129-128) x 128 + 17 = 145<br /><br />Then use the formula you used (N-13)/2<br /><br />(145-13)/2 = 66DC1743https://www.blogger.com/profile/14186532367794900206noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-52102654468782348702011-05-04T12:18:28.844+01:002011-05-04T12:18:28.844+01:00This post was intended to be generic and cover all...This post was intended to be generic and cover all potential sqlite databases. Carving individual records may be successful where all the required information is within one table.<br /><br />RichardDC1743https://www.blogger.com/profile/14186532367794900206noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-21111768494606616352011-05-04T10:54:36.902+01:002011-05-04T10:54:36.902+01:00Looking into this a bit further, is it possible th...Looking into this a bit further, is it possible that Chrome uses a modified record structure? The following test data from a history record doesn't make sense against the spec:<br /><br />0A 00 81 11 0D 01 01 06 01 01 68 74 74 70 3A 2F 2F 77 77 77 2E 6F 70 65 72 61 2E 63 6F 6D 2F 64 6F 77 6E 6C 6F 61 64 2F 67 65 74 2E 70 6C 3F 69 64 3D 33 33 34 32 33 26 74 68 61 6E 6B 73 3D 74 72 75 65 26 73 75 62 3D 74 72 75 65 00 00 00 2D FD 09 83 93 96 00 01 00<br /><br />The \x81 gives a field length of (129 - 13) / 2 = 56. However the actual string in there is "http://www.opera.com/download/get.pl?id=33423&thanks=true&sub=true" which is longer at 66!<br /> <br />However, Firefox SQLite records can be carved easily from their headers.<br /><br />Regards,<br />JamesAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-24780161330416956422011-05-04T10:22:37.945+01:002011-05-04T10:22:37.945+01:00Welcome back and fascinating post - thanks!
One c...Welcome back and fascinating post - thanks!<br /><br />One comment: Wouldn't it be easier to carve individual records since the headers are fairly well defined for each database type AND you will get complete records out rather than partial pages possibly in the wrong order?<br /><br />I think a carver for records would be fairly easy.<br /><br />Regards,<br />JamesAnonymousnoreply@blogger.com