Author Archives: Guest Blogger

9 Vendors of Digital Forensics You May Have Missed. Part 2

In the previous post we talked about 010 Editor, Event Log Explorer, ElcomSoft and Oxygen forensic solutions. In this blog post, we continue the brief review of prominent forensic tools.

Next on our list is Belkasoft.

Belkasoft Evidence Center 2016

Belkasoft Evidence Center is an all-around forensic solution to pinpoint, extract and review digital evidence stored on desktop computers, laptops and mobile devices.

The Belkasoft product supports a wide range of devices. It can parse physical and logical drives, virtual machines, mobile device backups, JTAG, UFED images and chip-off dumps. Belkasoft Evidence Center performs an automated search for evidence and seamlessly identifies 700+ types of digital artifacts. Once the search is over, you can apply various filters for more granular results.

Belkasoft restores damaged or incomplete SQLite databases, and retrieves removed records and cleared history. It can glean crucial information from online chats and social networks, private browsing sessions, cleared browser history, cloud usage history, and more.

SQLite, Registry, and PList viewers enable the user to target specific data types and, ultimately, get more evidence than an automatic search would unveil. Other in-built analysis tools include File System Explorer, Hex Viewer and Type Converter for multi-aspect low-level examination of the content.

Belkasoft Evidence Center is deeply integrated with EnCase Version 7. This enables forensic investigators to obtain a multitude of evidence types supported by Evidence Center through the familiar EnCase interface. The integration is made possible with the free “BelkasoftDataImport” plugin.

Rusolut’s Visual Nand Reconstructor

Rusolut is a manufacturer of Visual Nand Reconstructor (VNR), a comprehensive hardware and software data recovery and forensic analysis solution for damaged flash devices. The Reconstructor allows you to retrieve data from a multitude of Flash memory formats. The unique feature of Rusolut’s product is the ability to automate data structure recognition and dramatically speed up the recovery process.

The embedded base of NAND chips and controller configurations caters to most known chips. The database is subject to regular updates by the Rusolut team and their tech partners. A built-in file system viewer operates with the most commonly used file systems – FAT and NTFS.

VNR makes reverse engineering easy with special modes of data visualization and multi-tier descriptions of image structure. The special scrambler extraction mode enables successful data decryption even with new devices.

Despite its complex functionality, VNR offers a user-friendly interface with unified controls to help restore and analyze data in a more efficient manner. These include automatic analysis features that facilitate image reconstruction and data recovery. Check out the elaborate documentation to see if your investigation finds the right solution with Rusolut.

Passware Kit Forensic

Passware focuses on password recovery and caters to numerous use cases. Its Kit Forensic is a comprehensive evidence discovery solution that detects and decrypts all password-protected items on a computer.

Passware helps to recover or reset passwords for 200+ document types, including Windows, Word, Excel, QuickBooks, Access, Acrobat, etc. Kit Forensic scans for encrypted evidence, and performs live memory analysis and batch processing.The software works smoothly with BitLocker, TrueCrypt, FileVault2 and PGP; it supports GPU, TACC, Distributed Computing, and Rainbow Tables. Kit Forensics integrates easily with Guidance EnCase v7 in case the user needs to match collected data across two systems.

Check out the references and learn how Passware tools have resolved real situations; for instance, their operations on cracking otherwise undecipherable passwords in child pornography cases. In those projects, Passware helped investigators from the Swedish and US police forces with equally successful results.

Passcovery

Passcovery Co. Ltd. offers forensics, corporate and home users performance-driven password recovery.

Their flagship Passcovery Suite successfully operates with Microsoft Office, OpenOffice, PDF, ZIP/RAR, iOS/Blackberry back-ups, TrueCrypt volumes and WPA/WPA2 handshakes. The Suite uses an embedded macro language for sophisticated password generation assignments. The key focus of Passcovery is fast retrieval of data. The software boasts great recovery speeds, as well as optimization for AMD/ATI and NVIDIA video cards. Passcovery detects your CPU type and operates accordingly to deliver optimal performance. Whenever possible, it employs GPU password recovery with AMD and NVIDIA video cards.

Plus, Passcovery can leverage multiple video cards at the same time.

PasswordLastic

PasswordLastic is another password retrieval solution focused on Microsoft Windows and Office products.

The tool offers an online password cracking service that helps to crack Word and Excel documents in no time. Office Password Recovery Lastic supports MS Word, Excel, PowerPoint, Outlook and Access files, as well as embedded VBA projects.

Windows Password Recovery Lastic helps to restore access to the operating system. Run the software on an available computer and create a bootable USB stick or CD/DVD. Boot from it on the required computer and reset the password for any of the previous accounts. Plus, the program saves password hashes for in-depth cracking and recovery of previously removed passwords.

Other standalone versions cater to Outlook, Excel, Word and VBA projects. Easy-to-use and effective tool for average users and forensic experts alike.

Bottom line

If you are interested in professional forensic tools, make sure you research the market. Digital forensics is entering a golden era in terms of technology, and the offering is abundant, so define your goals and budget first, then determine which one addresses your particular investigative needs.

9 Vendors of Digital Forensics You May Have Missed. Part 1

Looking for a solid solution to unravel computer-stored evidence? Need a deeper insight into what’s happening on your PC or a suspect’s device, looking to restore or crack an essential password? Check out this brief review of unheralded yet powerful forensic tools.

The most common definition of computer forensics is the procedure of detecting and analyzing evidence collected from digital media, i.e. hard drives, portable devices, etc. Digital evidence should be handled carefully. Incapable hands may ruin crucial data so it becomes incomplete, compromised or unfit for further investigation. In order to help automate forensics, the computer science and software industry has come up with a plethora of professional programs. Police departments, investigation agencies and enterprises across the globe employ IT forensic tools at scale and face an overchoice of available solutions.

Computer forensics embraces different software categories. Broadly defined, it not only includes file viewers/analysis and disk and data capture tools, but also email analysis, registry forensics, network and database forensics, event log analysis, password recovery, mobile device analysis and other solution types.

Some of these, like EnCase and FTK, are globally acknowledged within the forensics community and power users. EnCase encompasses a whole suite of digital investigation solutions. These include products for forensics, e-discovery, cyber security and security analytics purposes. Data restored by EnCase have been used as evidence by multiple court systems, e.g., in the cases of the BTK Killer and the murder of Danielle van Dam.

FTK by AccessData also fits perfectly into forensic experts’ inventory. FTK Imager, a well-known data preview and imaging program, enables the user to analyze files and folders on local HDDs, network drives, and CDs/DVDs.

Other tools reveal and prove great technological potential, taking ever growing popularity among dedicated experts. And we’d like to take a closer look at a few more forensic solutions, highly recommended to add to your computer forensic arsenal. A disclaimer: we are rolling out the tools in random order so there is no rating associated with the review.

Tools

010 Editor

010 Editor is a professional text/hex editing software program by SweetScape.

The program allows you to edit any file, drive or process on the computer. Using binary templates, 010 Editor can help parse a binary file into an intelligible data structure. The software includes standard editing functionality with Cut, Copy and Paste commands, as well as support for large files and unlimited Undo/Redo actions.

010 is, in fact, a suite of editing tools. The Text Editor works with text files, XML, HTML, Unicode, UTF-8 files, C/C++ source code, etc. The Hex Editor helps the user to edit binaries and interpret binary data. The Process Editor investigates and modifies memory in running processes. The Disk Editor scans your hard drive, memory keys, flash drives, and CD-ROMs for issues, and provides immediate troubleshooting. 010 Editor allows you to analyze and edit binary files with advanced tools: Full Find, Replace, Find in Files, and Replace in Files functionality for various data types. You can also perform binary comparison, count byte occurrences and visualize data.

Event Log Explorer

Event Log Explorer by FSPro Labs is an advanced software solution for event analysis. The tool provides a deep insight into Microsoft Windows/Windows Server system logs, and covers all aspects missed by the standard Event Viewer.

The program collects valuable evidence by reviewing events registered by the operating system.

Users can consolidate events from multiple sources (event logs or files) into a single view – a dramatically important feature for timeline analysis. You can filter events by any relevant criteria using predefined filters or ample custom options, including regular expressions for event description.

Event Log Explorer provides direct access to EVT and EVTX files (without Windows API). This feature enables the user to view even corrupt event logs or read EVTX files under Windows XP.

In case you need to match event logs with other forensic tasks (e.g. timeline analysis), Event Log Explorer offers the Export Events feature. Events can be exported to multiple formats including HTML, Excel or text.

When you work with event log files, a computer may be lacking text descriptions of analyzed events. Event Log Explorer enables the user to retrieve event descriptions from another source.

Another forensic issue solved by this software is time correction. In the course of an investigation, you may encounter event logs from different time zones. The time zone correction feature helps you make necessary modifications and unify collected data.

Event Log Explorer fits a broad audience, including IT forensics, system administrators, security audit agents, in-house R&D, etc.

ElcomSoft solutions

ElcomSoft presents a product line aimed at forensic experts, law enforcement, military, and intelligence agencies. One of ElcomSoft’s core competencies is password cracking.

The Password Recovery Bundle enables authorized organizations and individuals to unlock disks, encrypted files and documents protected with publicly available applications. Another solution by ElcomSoft – iOS Forensic Toolkit – enables the user to acquire precise images of iOS devices. You can get access to all passwords and encryption keys on a select device and decrypt the image of its file system. iOS Forensic Toolkit also provides a passcode retrieval option to access passcode-protected evidence.

ElcomSoft Phone Breaker helps to establish access to password-protected iOS backups, Apple iCloud, Windows Phone and BlackBerry 10 backups. The tool supports fast and handy logical acquisition of data, restores the original password with GPU acceleration or helps retrieve data directly from the cloud.

A couple of years ago, ElcomSoft got overwhelming coverage in global news when its software was misused by hackers to expose a celebrity’s nude selfies grabbed from Apple iCloud. Paradoxically, the FBI and CIA tend to employ the same tools for their causes.

Oxygen Forensic Suite

Oxygen Forensic Suite is a solution designed to collect evidence from mobile devices to support your investigation cases. The software gathers versatile data (OS, manufacturer, IMEI number, serial number), messages (SMS, MMS, email) and contacts.

Using Oxygen Suite, you can recover removed messages, call logs and calendar info, as well as access mobile device data and documentation. All gleaned information can be visualized in granular reports, in case you need to see the big picture.

Unlike many competitors who focus on market leaders only, Oxygen Forensic Suite supports a large number of devices based on iOS, Android, Windows Phone, BlackBerry and Symbian operation systems. Similar to ElcomSoft, Oxygen provides cloud-forensics services acquiring data from iCloud, Google and Microsoft Live. Oxygen Forensic Suite is easy to use, yet offers powerful controls, such as the ability to pull data from multiple mobile devices at the same time.

As with many forensic tools, Oxygen provides a timeline feature to glean the culprit’s habits, whereabouts and communications prior to or during the incident. In addition, the Social Graph feature helps to quickly detect evidence and unveil social connections between multiple devices. Oxygen supports data parsing for 300+ unique apps to analyze communication and shared content, and effectively recovers SQLite database records.

These four merited solutions conclude the first part of our forensic tool roundup. The review is to be continued in the next blog posting. Stay tuned for Part 2, and feel free to share your feedback!

Troubleshooting knowledge base

Some of us have dealt with the frustration of dealing with a problem we know we’ve experienced before, but didn’t register it properly.

The outcome? We do it all over again, and basically, waste time and past effort. A good record of an analysis and key events can save a lot of time.

Most of the internal knowledge bases used by companies, small and large, have the same basic and fundamental building block: they aim to map a set of keywords to a specific issue and it’s solution.

How could this work for you, and how does this relate to the windows log file?

Quite simply, you can build you own Knowledge Base, using the event information you are analyzing.

If you are looking at a windows log file, either something is wrong, you are careful and do regular check to prevent problems, or you are interested in understanding the flow of events in your operating system (also, you have quite a bit of time on your hands).

I will assume you are with the majority, you are looking at a windows log file because something is wrong.

Something you will find very useful in the future is a clear description of the problem, and its solution. If it never happens again, great! But if it does, you will at least know what you did to solve it. You can even learn that your solution wasn’t the best, and that is why it happened again, therefore it’s a good time to review that solution.

A good method for taking record of issues using windows log file analysis involves choosing the words that describe the problem, and choosing the events ID to associate with that problem.

The best way to illustrate this is a real-life experience:

A SQL Express database has maximum size of 10GB.

When full, it stops and an error is logged.

The vCenter software (installed in Windows 2008) uses a SQL Express database by default, and has a defined number of days to keep history, etc, all thing that can lead to the use of the 10GBs

When vCenter fails, the error is not registered as an SQL database error, but as a SQL connection error.

The first time you solve such problem, which is actually simple to solve, you must shrink the Database or move the database to a full SQL server, you need more time to understand what’s really causing the issue, For you, the issue isn’t called “SQL Express problems”. The issue is called “can’t access vCenter”. How do we relate both?

The easiest way is to actually tell a story, explain in detail what you are seeing and how you are interpreting it, what events you are analyzing, and what actions you are taking.

After you solved the problem, you should review all the information, organize it, and make sure it is accurate and easy to understand. You should by now have a good description of the issue, with some key words or sentences associated with it, and the event IDs and details that were important to the solution.

For the issue in my example, I would have a Knowledge base entry named “Can’t access vCenter” with associated tags “database access, SQL Express, database limit, windows 2008, connection error” and in the description of the entry I would have all the events that were relevant in my investigation, and the detailed description of my investigation. I would also provide links to external articles and eventually some cases in which the events would lead up to different issues.

Having a solid documentation of this issue means that in the future, if this happens again, I can just lookup the work vCenter, find this article, verify that the events in the windows log files are the same, and would solve my issue quickly based on the past experience.

Also quite important is the possibility of contributing to the community that helped you in the past. That forum entry of a person having just the same issue as you, and that helped you with the solution, was written by someone who actually documented what happened. The more everyone contributes the more everyone profits from the solutions available.

And what can be more accurate than a good windows log file analysis with concrete consequences and actions? A specific event is the same in all computers with that same Operating System.

If you spend 30 minutes documenting a solution that would take you 1 hour to accomplish, don’t think you wasted 30 minutes, think that you earned 3 hours if this problem happens 3 more times.

Troubleshooting philosophy – Windows event log error analysis

There are different circumstances that lead to an event log analysis. One of the most common is the reactive Windows error log search, “reactive” because it is done in reaction to a problem, “error log” because what we are looking for error events that will help us identify the origin of the problem. When searching the error log entries (error events in Application and System logs), it can be difficult to establish a direct relation between the problem being experienced, and the error event itself.

Normally the events are analyzed after the problem occurs. One of the most frequent actions when troubleshooting is filtering the same event to correlate it with past problems.

There are distinct cases in wich this is helpfull:
– This particular problem never happened, and the event never appeared, there is a high probability that the event is related to the problem.
– This particular problem has happened before but the event never appeared, there is low probability that the event is related to the problem.
– The event is much more frequent than the occurence of the problem or the problem never happened and the event is seen frequently, there is a low probability that the event is related to the problem.

In search of events logged due to an error, filtering out the “noise” is a very big step in finding the right events to analyze.

After finding a windows error log entry that we think is most likely related to the problem, some before and after events should also be analyzed, even if they are warnings or informational log entries, they can be related to the error.
Frequently a sequence of events is observed when doing a deeper analysis of windows logs (not only checking for error events), for example, a warning that a service did not respond, followed by an information that the service is restarting, a warning like a problem loading a dll, the occurrence of the error, and an information that the service successfully started.

The events before and after the error seem related to the error itself, and we now know that there is probably an issue with a dll and also with a service, and both can be related to the error.

Doing a Windows error log analysis can be difficult due to the amount of information found, and there is a risk of losing focus on the search for that event that will lead to the solution.

As stated above, filtering and carefully choosing the events to concentrate the investigation will help.
A clear case to exemplify the importance of such method is the classical “solve one thing, break another” that can happen when, by taking action trying to correct some issue that you discovered existed by the presence of that windows error log, you change the environment in a way that your original error manifests itself in a different way or with a different frequency, and if repeated, this action (fixing an error different from the original) can lead to cascading events that will certainly drive you further away from effectively solving the original problem.

So, doing the research, one should ignore (during the course of a particular analysis) other non-related or not critically related errors that are encountered.

In addition, circumstances can change after the manifestation of the problem, which leads to different event entries after a reboot, with the specific software or hardware component still failing, but being registered as the Windows error log entry in a different way.

A remediation should be considered many times as a per-round iterative process, in which we detect an issue, find evidence that leads to a potential solution, test the solution, and restart the process/Operating System.
In a truly complex investigation of an issue and its related entries in the Windows log, it is also useful to build a chain of events. A chain of events is best built if we are sure that certain events are related in a defined sequence, and none of them appears regularly unrelated to the error event we are focusing on. It might be necessary to eliminate intermediate events which are unrelated to the issue being analyzed, and due to the large number of events that are logged, can appear registered between two events which are part of the chain of events we are analyzing.

After a problem has been truly understood, it can be replicated, in which case the chain of events would also appear to prove it was exactly the same problem.