[Dshield] Forensics and hard drives

Brendan Dolan-Gavitt mooyix at gmail.com
Thu May 3 16:39:41 GMT 2007

Pasco can read index.dat files, wherever they're found. It can also be
run on UNIX systems, which is nice if your main analysis platform is
not Windows.



On 4/17/07, Kenneth Coney <superc at visuallink.com> wrote:
> I thank you for the suggestion.  I did indeed get Index.dat Analyzer and
> play with it a little.  It did find connection evidence on my laptop.
> However, like many of the tools I have examined in the past month it
> presumes the path to be examined is C:, and doesn't allow exam of
> another drive letter.  Since my examination is not on a live system,
> this will be one of the last tools used.
> I do like the Linux tools in Helix, but become a little frustrated at
> trying to export some of the results.  Time Analysis tells me
> 'permission denied, restricted file' every time I try to save the
> output, while I am at root status. Changing the file type from read to
> write is ignored.  My printer is too new for Linux to even see it.
> Aaargh..  New PCs lack a serial port so my old serial modem becomes
> useless as an output mechanism.  Again aargh.  Paper and pen copies of
> the entries result.
> I do not know why there isn't a similar time analysis tool capable of
> examining a slave drive on the Windows side of the Helix CD.  I am
> acquiring an impressive collection of tools designed for use on live
> systems, but only a few designed for examination of a Windows drive
> other than C:.  I have found several malwares on the suspect drive, so
> there is no way I am going to configure it as a boot drive for some time.
> Picture examination was a nightmare.   200 gigs, 34,000 Jpeg files.  I
> exported them with an Easeus tool to a different drive and found a cute
> free tool called "Disk Detective" that examines images for skin tone and
> shape.  That cut the workload down to only a few thousand images to look
> at.  Amazing how many cats flag as pornography colors and shapes.
> Smiling babies with faces filling the frame flag too.
> Just for kicks I ran a steg analysis tool on the 34,000 images and found
> nothing interesting beyond a lot of erased Efix data on the more
> interesting images when sector viewing in hex.   The Helix windows tool
> for pulling passwords off a C: drive is very impressive.  Scary too.  It
> only missed one password on my laptop but easily found the rest.  I look
> forward to trying that tool on the Subject drive.
> I ordered the CD library of file hashes ($90) and will run that file
> type exercise too when the CDs arrive.   Hopefully by then I will have
> figured out a way to make my Autopsy write results to something other
> than RAM.
> Interesting in that I have yet to find a tool that sees and flags
> encrypted virtual drives such as PC Dynamics 'Safehouse.'  If I didn't
> know it was there, just by running tools, I would have never seen it.
> Only when viewing the directory do I see it.  This raises the
> possibility that some of the large encrypted files I have found are
> similar utilities.  Hopefully the file type hash CDs will identify them.
> I suppose that sooner or later I will have to configure the drive as a
> C: drive in a dedicated box (hopefully not too different than the one it
> came out of (so as to minimize the found new hardware writes)), but for
> now I will stick with the tools designed to forensic a D: or M: slave
> drive.  I know the remote access erase business files deed was done, but
> with no trace of an active firewall log, I haven't identified the method
> yet.
> _________________________________________
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)

More information about the list mailing list