You are here: 42 Resources Blog

42 LLC

SANS

Yogesh Khatri's forensic blog

A short description about your blog

Jul 06
2010

Exporting BAG data + updated script

Posted by Yogesh Khatri in Shell BagsForensicsEnscript
Yogesh Khatri

A few people have complained to me about not being able to export data from the BAG Parser script. When exporting the parsed out information, it only outputs an empty tab-delimited file with column titles but no data.

This is not a bug with the script. The "Export" button on the script exports all leaf nodes but not folder nodes shown in the tree. This is a generic dialog that I use in all my scripts and its designed to be that way. However, the BAG data is mostly folders and hence the problem with exporting it.

Solution

Here's what you need to do to get the FULL output.

1. Use the "Export Selective" button.

2. On the dialog that pops up, select "Include Folders", choose all fields you want to export (all are selected by default) and hit OK.

Script Update

The script has been updated to include the above information in the "About" dialog.

Also, a bug has been fixed which caused some output to show up as garbage data (invalid Unicode).

Download here

May 26
2010

CEIC 2010 scripts

Posted by Yogesh Khatri in ForensicsEnscriptCEIC
Yogesh Khatri

 

Today we release several scripts and utilities for forensic analysis at CEIC 2010. This is some of the research we have been doing over the last year. Download links below. (You will need to log in to download the files. Registration is of course free.)

Apple iPhone Backup Extractor

Extract files into their proper folder structure from an iPhone backup

Download

Bag Parser

An update to the bag parser already posted here

Download

CSC Parser

Rebuilds XP Client side cache (CSC) from an XP machine and exports files as native or into a Logical Evidence File

Download

Google Desktop Search Metadata Extractor

Extracts information about files stored in Google desktop search's index

Download

Google Desktop Index Data Extractor

Extracts files stored in Google desktop search's index

Download

Windows Search Index Data Extractor

Extract textual data and metadata from the index database of Windows Search

Download

INDX Extractor

Finds deleted files (and their metadata) by reconstructing deleted INDX buffer records in NTFS volumes

Download

IPD Extractor

Extracts data from blackberry backup files, aka IPD files

Download

Webmail Extractor

Extracts mail listings from web pages, memory, page files or unallocated space for email for Gmail, Yahoo mail and Live mail (hotmail)

Download

 

Mar 05
2010

Manipulating encase E01 files, Myth or Reality?

Posted by Yogesh Khatri in Password CrackingimagingHackingForensicsEvidence VerificationE01 passwordacquisition
Yogesh Khatri
Recently, we had to process a case where we received many encase images (E01 files) which were password protected. The party that provided the images misplaced the password which meant Encase would not load them. We do a lot of our processing in Encase as it can be automated with scripting and it minimizes manual artifact extraction and reporting. Hence we needed to crack/remove the password from these files. 
 
The encase password protection feature is simply an application level protection. It does not protect the data within the E01 file. Utilities that operate with E01 files have the option of honoring or ignoring this “feature”. Hence FTK and tools using libewf load the file just fine, without asking for a password. We could re-image all the files in FTK to remove the passwords, so they can be used by encase, but that would require lots of time copying and verifying the files again, lots of extra disk space and many hours. So we decided to see if it’s possible to manipulate the E01 header to remove/blank out the password. 
 
The E01 format has been pretty well documented by Joachim Metz in his project libewf. What I found was pretty scary. The header fields in an E01 file are completely detached from the image data. There is absolutely nothing that protects that header, not even a checksum! It can be easily altered. The case information is stored in the header section which is a zlib (Deflate) compressed stream. This when decompressed is simply a tab-delimited text file, from which the password hash can easily be deleted and the resulting file recompressed and put back into the E01 file. The whole operating takes no more than a few minutes to perform manually once you figure out the offsets and text file format. Of course you will need a program that decompresses and recompresses a zlib stream. (That I had to create myself)
 
So practically anyone with this knowledge can now change acquisition information, i.e., notes, acquisition date and time, examiner name, case number, evidence type, drive serial number, drive type, etc...
The only catch is that the new compressed data stream (after manipulation) must be equal or smaller in size to fit in the space allotted for the header. If not, then all the data will have to be shifted down and the offsets and CRCs for the remaining sections in the files will have to be adjusted for all the evidence segments (E01, E02, E03...). This is a little more work, but is also easily accomplished.
 
We could easily then create a program to edit this information, but we leave that for another day. We did however create a utility to remove the password from an E01. You can download it here. It’s a command line application which takes only a few seconds to run, as only a few bytes in the first segment (E01) are modified. The other segments (E02, E03…) are not touched. It will create a backup of your original E01 file, just in case. 
 
It uses .NET 2.0, which you should already have unless you are running a really old XP system which never got any updates. If not, download and install it from Microsoft.
 
So in essence what we have proved today is that relying on an encase E01 file’s case information is really no better than the text file that accompanies DD images. There is no reason to believe it is un-alterable or secure by any means.
 
UPDATE: The file download error has now been fixed. If you cannot download files, let us know by posting a message on the forum. Thanks. 
Oct 07
2009

Shell BAG Format Analysis

Posted by Yogesh Khatri in WindowsShell BagsForensicsEnscriptartifacts
Yogesh Khatri
Windows uses the Shell BAG data to arrange folders and files in Explorer views, as well as to monitor recently used and frequently used applications in the Start-Menu among other things. Forensic experts use it to find traces of deleted file/folders with associated MAC times and file paths. It even tracks network paths and paths on external thumb drives that were once plugged into the machine.
When I started this research, I didn’t know of any product nor any freeware or documentation that explains the BAG format, so I decided to reverse engineer it myself. However since, I have learnt of a paper presented this year that talks about the BAG file and its usage to recreate user activity at the DFRWS conference. They have a tool called TraceHunter, available on request only, but no available documentation on the format. I haven’t seen the tool yet. Update: I have been informed by the folks at tracehunter that they will not be giving me a copy!
I have read on a blog that a once freeware tool to accomplish this was bought by Paraben and incorporated into their product ‘Registry Analyzer’ which is now called P2 Commander ($129).
About the BAG format
It is prevalent in all windows versions since XP and is used in following registry keys:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Vista and Windows 7 have these additional locations (updated)
  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
My Research
Very little has been known about the technical specifications of the Shell BAG format. I present my research and an Encase script to parse NTUSER.DAT hives and extract the data. The source code is a mess right now and many things are hard-coded, so I have not made it available yet.
I have been able to understand the basic format, although there seems to be quite a few variations of how it’s used in the different registry keys and at different levels, ie, it varies depending on whether the BAG artifact is from a file or folder, regular file or ZIP file, etc.. Sometimes GUIDs are used (instead of filenames) for well known items like Control Panel as well as application created shortcuts.
Structure Format
struct BagFile {
USHORT BagSize; // Length of BAG structure
USHORT flags;
DWORD size;
USHORT ModifiedDOSDATE; //Modified Date GMT
USHORT ModifiedDOSTIME; //Modified Time GMT
USHORT FlagUnknown;
char  name[]; // (DOS short filename)
//extra byte here sometimes to align to even byte boundary
UnicodeBagData UnicodeData;
};
struct UnicodeBagData
{
USHORT LengthOfUnicodeStructure;
USHORT Short1; // 0x0003 for XP, 0x0008 for win7
USHORT Short2; // 0x0004
USHORT Short3; // 0xBEEF
USHORT CreatedDOSDATE; // Created Date GMT
USHORT CreatedDOSTIME; // Created Time GMT
USHORT AccessedDOSDATE; // Accessed Date GMT
USHORT AccessedDOSTIME; // Accessed Time GMT
DWORD Unknown; // usually xp = 0x14, win7 = 0x2A
// Vista and Windows 7 Extra Fields (22 bytes total)
DWORD  MftFileId;
USHORT Unknown1;
USHORT MftSequence;
DWORD  Unknown2;
DWORD  Unknown3;
DWORD  Unknown4;
USHORT Unknown5;
// END Vista extra fields
wchar name; // Unicode Filename
USHORT Unknown6;
};
Although this is the basic format, there are several variations depending on flag values.  The elements are likely contained in more structures nested within, hence the variations.
In the StreamMRU values, many such BAG structures are chunked together into one reg value, which represents the full file path.  For example, if a folder path is “C:\Program Files\Microsoft\Office”,  the registry value will have the following data
[BagFile for C:] + [BagFile for Program Files] + [BagFile for Microsoft] + [BagFile for Office]
All will be appended into the same reg value.
Files vs. Folders
Since BAG data is mostly used by Explorer to remember view settings for each folder, we only find BAG entries for Folder data under ‘Software\Microsoft\Windows\Shell\BagMRU’. Each folder under that key has a NodeSlot value which represents the unique folder number for its settings which are stored at ‘Software\Microsoft\Windows\Shell\Bag’.
The keys under this key store both file and folder metadata. Any time you move an icon in explorer, its new position in that folder is tracked here. For each NodeSlot value in BagMRU, there is a folder with that number as name. Not all views are tracked, so you will see some empty folders under this key and some with many values. One of these values will look like “ItemPos 1024x768(1)” or whatever your screen resolution is at the time of the event. There can be multiple of these items for multiple monitors, change in screen resolution, etc.. The ItemPosxxx key consists of many BAG structures appended together. Unlike StreamMRU, these don’t represent a file path, they are simply metadata for all the files/folders in that particular folder that it represents.
BAG Data Organization
The data is organised exactly as it appears in Windows Explorer, with the desktop being the root folder of everything.
The paths inside BAG files will have many redundant entries pointing to the same object in a different view depending on whether you browsed to the 'desktop' folder from C:\Documents and settings\... or directly accessed it from the Desktop, or from My Computer\Shared Documents\.. and so on.
Example: Redundant paths for an XP machine
Desktop\My Computer\C:\Documents and Settings\ProfileName\My Documents\..
Desktop\My Documents\..
Desktop\ProfileName's Documents\..
Desktop\ProfileName\My Documents\..
Script
This script (download link below) parses the data from an image or an NTUSER.DAT file. It tries to remove all redundant paths (removing duplicates), althought sometimes you would want that (dates/times on the duplicate entries may be different).
Ideally, you want to run this against a full disk image (just because it tries to resolve ProfileName if not found in registry hive), but it will parse out individual NTUSER.DAT files also. It will process profile hives stored under System Volume Information (System Restore) also! It has been mostly tested on XP but has been tweaked to run on Vista and Windows 7.
Update: There appear to have been quite a few additions to the format with Windows Vista and 7. Also a new location for these entries:
C:\Users\ProfileName\AppData\Local\Microsoft\Windows\UsrClass.dat
The additional paths are noted in section above in "About the Bag format".
Update (May 26 2010): New version of script available. Download here
Apr 07
2009

Prefetch Hash Algorithm

Posted by Yogesh Khatri in WindowsPrefetchForensics
Yogesh Khatri

I had previously  commented on the prefetch file format in a previous blog post. 

A key feature skipped in that blog was the hash algorithm used by windows in the pf files, which I promised to return to. And here it is, ripped out of ntkrnlpa.exe for XP and Vista. Its a simple one, that uses pi (3.14159) as a seed for randomization along with the prime number 37.

It is essentially adding all characters into an integer overflowing  it.

hash = (37 * hash) + path[i];

In Vista hash begins with value of pi = 314159;

In XP, it begins with zero, then performs an additional operation of :

hash = (314159269×hash) mod 1000000007 

The code in the previous post has been updated to validate the hash now. You can also download the enscript code here to see the full algorithm. 

  • «
  •  Start 
  •  Prev 
  •  1 
  •  2 
  •  Next 
  •  End 
  • »
42 LLC | 2596 Mission St, Suite 203, San Marino, CA 91108 | info@42llc.net | +1 626.698.1189