Wednesday, 8 February 2012

Adobe Bridge CS3 and some MySQL stuff

Like buses – you wait all day for one and then two come along at once!

A recent case involved a number of images found within a file entitled FileSystem_Nodes.MYD  on an Apple Snow Leopard boxThe indictment referred to each image by its File Offset and the date of the offence was particularised with an arbitrary date relating to the date of seizure.  The forensic investigator had not presented any further evidence relating directly to the images.  The path to FileSystem_Nodes.MYD was

~\Library\Caches\Adobe\Bridge CS3\Cache\data\BridgeStore\FileSystem_Nodes.MYD
and within the same folder were two other files of note FileSystem_Nodes.MYI and FileSystem_Nodes.frm.  As the path suggests these files are utilised by the Adobe Bridge CS3 program (later versions work differently).   Those readers who are familiar with MySQL databases will recognise that the .MYD, .MYI and .frm files are constituent parts of a MYISAM table within a MYSQL database.  MYD – my data, MYI – my index  and the .frm is the definition of the table.
Adobe Bridge CS3 stores thumbnail and preview images as Binary Large Objects (BLOBS) within a MySQL database.  These images can be seen in Figure 1 where the highlighted picture of a giraffe in the filmstrip at the bottom of the screenshot is a thumbnail picture. The larger representation of the same picture in the centre of the screenshot is a preview picture.
Figure 1
I was tasked with ascertaining more information about each picture located within the FileSystem_Nodes.MYD file.  So in order to do this 

  • I installed MySQL version 5.5.20 on a test Apple iMac running Snow Leopard (I would expect that a MS Windows version would work just as well).  

  • Once installed I made sure that the MySQL database server was not running (which if you have installed the Mac version of MySQL is easy to do because an option to toggle on or off is added to the Macs system preferences – on a Windows box I would probably install MySQL administrator and use that program to turn the db server on or off).  

  • Then I copied the BridgeStore folder into the default location for MySQL databases which was at the path Macintosh HD\usr\local\mysql-5.5.20-osx10.6-x86\data on my Mac and restarted the MySQL database server.

  • Using MySQL Administrator I could view some information relating to the BridgeStore database

Figure 2

  • We now need to query the database and also be able to view and save out the relevant BLOBS.  To do this I used a utility called RazorSQL.  On the menu bar of this program there is a Connections option.  Select this and Add Connection Profile.  Work through the wizard, the bulk of the configuration can be seen in Figure 3
Screen shot 2012-02-08 at 13.16.25
Figure 3

  • When you are connected you can enter queries in the top right hand pane.

  • The query show columns from FileSystem_Nodes tells us that each record within the table has 52 fields as shown in Figure 4
Screen shot 2012-02-08 at 13.40.20
Figure 4

  • The fields of particular interest are displayPath, created, thumbnail and preview

  • Other useful SQL queries may include Select * from FileSystem_Nodes or Select id, displayPath, created from FileSystem_Nodes

  • To view the thumbnail or preview blobs execute a SQL query such as one of the examples above and in the results pane scroll across to the preview or thumbnail column.  Once there select a cell containing an ASCII representation of the binary blob data, right click and select Binary Data Editor, in the resulting window click on the View Image button.
In summary it was possible to establish the original path and date created for each picture carved from the FileSystem_Nodes.myd file using this method.




Anonymous said...

Good to see you back Richard. Would there be a way of mass exporting the blobs as files, similar as to what you can do with sqlite files using the method outlined in Zdziarski's iPhone Forensic book?

I'm surprised to see a software product still using mySQL! Thought everything would be Oracle or sqlite now.

Tom Harper said...

You can also use this technique to view the blob data in a sqlite database, once you have exported the table containing the data to a format recognized for import by mysql. It's a great workaround if you don't have a commercial tool that will allow you to view the sqlite db natively. Using phpmyadmin will also render encoded html within the datafields when a table is viewed in a web browser. Great post!