Showing posts with label skype. Show all posts
Showing posts with label skype. Show all posts

Wednesday, December 5, 2012

Hacking help!

I've been contacted a few times recently to provide help getting to some part of a computer file or recovering some sort of data. I don't mind responding to people who reach out and generally need help, in fact, I'd like to think I've actually helped quite a few people. Here are some guidelines to make sure I can help you as much as I can.

What to do before reaching out to me for help

  1. It would be really awesome if you would read the relevant blog posts and attempt it on your own first.
  2. Know what you are asking for and likely to get. Data recovery and carving can generate lots of data but it generally is a shotgun approach.
  3. Do the work once you have the data. I can't generate lovely time-indexed, cross-referenced, collated reports of the data. I'll just generally give you the data and expect that you'll donate some elbow-grease to the equation.

What I need to help you

  1. A description of the system (Mac, PC), the operating system (XP, 7), the relevant programs (Skype, Firefox). Version of the programs is a nice-to-have for me.
  2. The relevant files!
  3. Any information that would help searching data. Names of the parties, dates of events, locations, etc...

What I can promise

  1. My best effort to recover data
  2. Getting to the task of investigating as soon as possible (I do have a life!)
  3. Utmost secrecy... I will only share your information with you, no one else. Nobody but me will ever see it. I promise to delete all copies of data and emails once I've finished investigating and sent results. 
  4. Discretion. I've been through this myself and I know how personally devastating going through this kind of event can be through my own experience.

How to contact me

  1. Post a comment to the blog and I will reach out to you. I moderate all comments and will not make any comments public that contain personal info like an email address.
  2. Email me at dead.nt.sleeping [at] gmail [dot] com
  3. I have put together a web form for a contact page you will be able to see on the top tabs of the blog. Here's a link to it anyway: Contact Form.

V/r - DNS
Posted by at No comments:
Labels: , , , , , , , , , ,

Thursday, August 9, 2012

Spyware, An Introduction

There's an old saying that being paranoid doesn't mean that they aren't out to get you... In our case, being paranoid doesn't mean your spouse isn't being unfaithful. The uncertainty and dread of the unthinkable happening is maddening. Many people turn to spyware to find evidence. I will recount my experiences here with some popular software.


Morality and Legality


Without question, it is immoral to invade another person's privacy. In fact, it is illegal. What I'm writing in this post is a review of products and not an endorsement. I don't want to influence you in your decisions - you are responsible for your own actions and their consequences. My post is merely a discussion of popular software and hardware and their benefits and restrictions.

Spyware

Spyware is classified as any software used to capture data without the primary user's consent and/or knowledge. There are several general types of spyware; key loggers, parental/employee monitoring, network packet inspection, and "professional" software.

Nota Bene! 

Installing Spyware

Everyone has a virus scanner and spyware protection software package these days, as well they should. So, how do you install spyware without it being instantly removed? The answer is to modify the security program to create an exception, or blind-spot, for the spyware you install. Prior to installation, you need to create these exceptions in the security software's settings. The software you decide to use will likely have detailed instructions on how to create exceptions. 

The big risk to installing any spyware is that the user may be savvy enough to review their security software settings, do a clean re-install of their security software, or download a new security software package entirely. If the user does this, the exceptions you created will be lost and the user will be alerted to the presence of the spyware.

Key Logger


A key logger is a program that is used to track which keys are struck while the computer is in use. There are many variations on the basic key logger program. Most of the free programs will track the basic keystrokes and save the data to a hidden directory on the computer for later retrieval. More advanced programs will capture additional data, such as; programs in use, screenshots, etc.

Parental/Employee Monitoring


All spyware is distributed or sold to "monitor the computer use of children/employees". As such, parental monitoring software has many spyware features built-in. The features generally include a key logger, a website filter, instant messaging capture, webcam locks, and others. The website filters can often be configured to track, not block, web use. Some monitoring software offer a real-time communication for specific events, such as; visiting an adult website, sending an instant message, computer use during prohibited hours, etc.

There are some software packages which can do an IP lookup and provide a generalized location for the computer. Note that the lookup here isn't very precise and is based on the assigned IP address of the machine. Proxy servers, onion routers, and other actions that impact the domain name server (DNS) assignment of IP addresses can mess with its accuracy.

It is important to note that most parental/employee monitoring software has a splash screen, notification tray icon or other visual cue to alert the user to its presence. You will need to find a solution that meets your needs. If you are negotiating a reconciliation with a wayward spouse, asking them to install a monitoring software on their computer may be one of your conditions.

Network Packet Inspection


This is, by far, the nerdiest of the geekery on this post. Here's an article or two to get you familiar with packets and networking.

In general, networks operate by sending packets of data back and forth. Each packet has a header which tells your router (the traffic cop of you home network) where each should go and in what order. Once packets are received by the destination machine they are decoded and transmuted into data.

Network packet inspection software allows you to monitor these packets. It is also referred to as a "packet sniffer" because it intercepts and decodes each packet sent over the network and presents you with raw data. These are essential and valuable network admin tools. As powerful as these tools are, I found many very cumbersome to use and far too technical for a casual user. My experience has primarily been with Wireshark, Ethereal and WinPcap.

"Professional" Software


For those of us who need a solution that ameliorates the need to have physical access to the computer to download keystrokes, the "professional" software fits the bill. The main operator in the arena is Spectorsoft. I have experience with their product line; eBlaster, SpectorPro, eBlaster Mobile. In my opinion, they have excellent customer service and are very responsive. I've only had to wait an hour most of the time I sent an *email* inquiry to their team.

eBlaster


The features worth mentioning in the eBlaster software are as follow:
  • Sends email reports on a user-defined schedule
  • Reports contain keystrokes, program use, files transferred or printed, IM activity
  • Keywords can be set to send an immediate email report containing the keyword, program use and a screenshot of the computer at the time it was detected
  • Remote control panel once installed allows user to adjust what's monitored, how frequent the reports are sent, set keywords, set websites to block, and allow customization of the emailed reports to give a "friendly" subject, sender, etc.
  • Forwards emails sent from the computer to an account you select.
Some cons to using the software I learned the hard way:
  • The application doesn't support non-major browsers. If your subject uses Opera, Chrome, Iron, RockMelt, etc. much of the beneficial tracking info is lost. You still get the keystrokes logged but the output can be randomly mixed, confusing and lack association with the appropriate webpage or webapp (think of Skype integration in Facebook through the RockMelt browser as an example).
  • The frequency and quality of screenshots is limited by Spectorsoft. However, if you utilize your own Gmail account as the SMTP server to send the screenshots this can be circumvented.
  • Video streams and audio streams are not captured. Voice/video calls through Skype do not capture the audio or video component. If you're lucky your subject might type a keyword so you can get a screenshot.

SpectorPro


SpectorPro is a software program much like eBlaster. The following are the main differences:
  • SpectorPro won't send you email reports. It spools them to a hidden directory on the subject machine. You will need to access the computer to get to them. The software does allow the user to set up a network path where these files can be accessed remotely.
  • SpectorPro records computer use like a video recording. You can playback the files and see exactly what was being displayed on screen during the time the subject was using the computer.
  • SpectorPro doesn't record audio. A pure voice call on Skype or any other VoIP app wouldn't provide much more detail than seeing the call being made/accepted.

eBlaster Mobile


In my opinion, eBlaster Mobile is where Spectorsoft falls down. First the features:
  • Sends periodic email reports.
  • Logs calls made, missed and received with time and duration. Looks up the caller in the user's contact book to provide a name with the number.
  • Logs website pages loaded (big caveat here, read on for its limitation).
  • Logs SMS and MMS sent and received with contact information.
  • Sends a thumbnail of a photo or video taken with the phone with geo-tagging and time the picture was taken.
  • Looks up GPS location and resolves to a street location at a set schedule
  • Allows a geo-fence to be set up which provides alerts when it has been entered or exited. 
  • Remote dashboard to set and manage delivery settings
  • "Friendly" names for sender of reports, subject, etc.
Limitations:
  • The eBlaster Mobile app won't track any websites visited outside of the native android browser. Any use of a browser outside of the crappy one the android was packaged with circumvents eBlaster Mobile entirely.
  • The eBlaster Mobile app won't track app usage. You won't know if your kid plays Angry Birds all day in that expensive private school you're sending him to, or if your spouse uses the Skype app for calls/video chat, uses Google Talk, uses Google Voice, Meebo, What's App, and on and on... All of the apps are invisible to eBlaster Mobile.
  • The geo-location feature that provides the location of the phone at set intervals is a battery-burner. As an example, the phone I use has a 1.5 day battery life. Using a 2-hour lookup for location during normal use reduces that to about 6-hours.
  • It was pretty convoluted to set up. It required I jail-break my phone (more a limitation set by my service provider) prior to set-up.

The Final Word


Find software that works for you. I found the email reports provided by Spectorsoft extremely useful and worth the cost and limitations. I just wish they had a more comprehensive mobile offering.


Hardware


There is hardware available for snooping. The most useful being mini-GPS, spy cameras, and voice recorders (bugs). I have found most of my needs resolved through software but there are hardware options out there.

The Mini-GPS


The Garmin GTU 10 is a mini-GPS unit that's about 3 inches by 1 inch by 1 inch and is fairly expensive. The signal is strong enough to transmit through the body panels of most cars. It sends an email report of its location and Garmin provides an online dashboard to view locations and modify settings.

It has a handy geo-fencing feature which allows you to set it to sleep inside a location. For example, you can have it report hourly and set a geo-fence around your home which it will wake up once it leaves. The GTU 10 can switch to continuous tracking which reports every 30 seconds or so - in real time.

Spy Cameras


Admittedly, I do not have much experience with different types of spy cameras. There is a dizzying array of options and prices. Many are wireless, motion activated and record to a DVR or computer. The small design of modern cameras allow them to be placed almost anywhere. I ran into a major stumbling block when considering the areas I'd want to monitor and the possible locations for a spy cam. I couldn't reconcile where to place it that wasn't in the direct line of sight of my subject and I quickly abandoned the idea.

Audio Recorders


The old "bug". An audio recorder is a discreet method of documenting what is going on when you are not present. The trick is to find a portable, battery friendly device with lots of memory that your subject will likely always be near. One popular choice is a voice-activated recorder made to resemble a key fob. Granted your spouse may be suspicious when you get her a new key fob for no real reason, so it is up to your ability to bullshit your way through it.

Summary

The only thing worse than knowing is not knowing. However, as I always recommend, talk out your problems first. Using these devices and programs in a manner which compromises anyone's privacy is immoral and illegal. It will also break any threads of trust your spouse may have for you and may lead to an inevitable conclusion of divorce. I doubt any of us would be considering these technologies if we didn't have a very solid suspicion but do consider this before hopping down the rabbit hole - what if you are wrong?

-- DNS
Posted by at No comments:
Labels: , , , , , , , , , , , , ,

Friday, July 20, 2012

Skype Main.db

I hope you've read the Skype primer I posted a while back... Because now it is time to roll up our sleeves and get dirty!

Main.db

The main.db SQLite 3 file is the heart of Skype. The file is located in Windows 7 at C:\Users\WindowsUserName\AppData\Roaming\Skype\SkypeUserName and in Windows XP at C:\Documents and Settings\WindowsUserName\Application Data\Skype\SkypeUserName.

In my Computer Psuedo-Forensics & Tools post, I pointed out some helpful software; a SQLite database browser called, appropriately, SQLite Database Browser and a raw hexadecimal file editor called HxD Hex Editor. Both are free. The discussion below utilizes these tools.

SQLite is cool

The Skype tool (also Firefox and Chrome) utilize a lightweight SQL engine called SQLite 3. This enables the software to have a back-end platform which is light enough to be used on mobile devices. The PC based tools are using the same engine as the software is relatively standardized on the back-end to reduce the cost of maintenance and reducing development cost and time across platforms.

SQLite is an open standard and has extensive documentation. All SQLite formatted files have a header beginning "SQLite format 3".

From my earlier post on Skype

"According to the SQLite3 documentation at www.sqlite.org:

A database file might contain one or more pages that are not in active use. Unused pages can come about, for example, when information is deleted from the database. Unused pages are stored on the freelist and are reused when additional pages are required.
This means when the user deletes records, they're marked inactive. NOT removed from the main.db file. The deleted records sit in unallocated memory. They are, however, overwritten with new data. This means you should copy that file ***now*** before any old data is truly gone. Once overwritten, it cannot be retrieved.

Using the HxD Hex Editor, you will be able to open that main.db file and translate the machine code to text. There will be plenty of garbage characters and the data will be in a somewhat random order. If you're lucky enough you will have been able to catch a good bit of data that the user believes they've deleted for good."
That's why SQLite is cool :)


Using Main.db

The main.db file is a SQLite database. Using SQLite Database Browser (or any other SQLite tools), you can open the "official" memory of the Skype program. The information you can retrieve from this file represent the data that has not been deleted or removed by the user.

Schema

The schema is the set of tables and indexes within the database file. It provides the structure of the database, the names of the tables, the fields (data items) within each table and a description of the field indicating what type of data is stored and whether it is a primary key (a unique, mandatory value). The indexes for the database are provided. These indexes are tools used by SQLite to speed up the execution of queries used to retrieve data.

Just because I like you here is a link to a spreadsheet containing the tables and indexes and a link to a spreadsheet containing the tables and data fields.

Tables

The following tables appear in the main.db schema. Each table on this list is linked to a spreadsheet with a description of the table's fields and data types.

So what?

The following tables are where you will find useful data...
  • Contacts
    • You'll find all of the user's contacts with their SkypeName, their DisplayName and any other details they've provided in their Skype profile (location, mobile #, etc)
  • Videos
    • You'll find a list of the user's video chats and a Convo_ID. 
    • The Convo_ID will map to the Convo_ID in the Conversations and Participants tables.
  • SMSes
    • I have no experience with this table but I believe it is used to store SMS texts sent via Skype to a cell phone (a paid feature for Skype users)
  • CallMembers
    • Provides a list of all parties to a call (grouped by Call_Name). 
    • Duration is provided per participant and a Video_Status is provided (I believe 3 = video call)
  • ChatMembers
    • Provides a list of members taking part in a chat (grouped by Chat_Name). 
    • The Adder field provides the SkypeName of the user who added the participant to the chat.
  • Conversations
    • Provides a list of the conversations in which the user participated. 
    • The Identity column provides the SkypeName of the participant or the Chat_Name for group chats/rooms. 
    • The DisplayName field provides the participant's displayed name in Skype or the displayed title of the group chat/room.  
    • The Creator column notes the creator of the group chat/room.
    • Timestamps are provided for Last_Activity, Inbox_Timestamp, Creation_Timestamp and more.
  • Participants
    • Provides a list of conversation participants grouped by the Convo_ID
    • The Adder field notes the SkypeName of the user who added the participant to the conversation
    • The Identity column provides the SkypeName of the participant.
    • Text, Voice and Video status fields are provided.
  • Calls
    • Provides the calls in which the user has participated.
    • Call_Name is provided and maps to the Call_Name column in the CallMembers table.
    • Timestamps for the calls and the Host of the call are provided.
  • Transfers
    • Provides the details of files shared and downloaded by the user.
    • Partner_Handle is the SkypeName of the other party, Partner_DisplayName is their DisplayName.
    •  FileName and FileSize is provided along with the FilePath (uploads only I believe).
    • Convo_ID is provided which maps to the Participants and Conversations tables.
    • Timestamps are provided.
  • Voicemails
    • Lists voicemails sent to the user
    • Partner_Handle is the SkypeName of the other party, Partner_DisplayName is their DisplayName.
    • Path column displays a ".dat" file which is located in the ...\Skype\SkypeUserName\Voicemail folder
  • Chats
    • Provides the chats in which the user participated.
    • The Name field follows this structure; #SkypeUserNameOfInitiator/$SkypeUserNameOfPartner;ChatIDString
      • The ChatIDString is a 16-digit alphanumeric string that is unique to the Chat
      • The SkypeNameOfPartner is replaced with the ChatIDString when the chat is a group chat/room. Ex: #SkypeUserNameOfInitiator/$ChatIDString
    • The Friendly_Name column provides the display name of the partner or group chat/room.
    • The Adder field notes the SkypeName of the user who added the participant
    • Timestamps are provided
    • The Posters field is a concatenated list of SkypeUserNames that posted to the chat
    • The Participants field is a concatenated list of SkypeUserNames that received messages from the chat
    • The ActiveMembers field is a concatenated list of SkypeUserNames of those who have recently posted
    • The dbPath field displays a ".dat" file which is located in the ...\Skype\SkypeUserName\Chatsync folder
      • The name of the ".dat" file is a 16-digit alphanumeric
      • The first two characters indicate the subfolder where the ".dat" file is located under the Chatsync folder. Ex- if the dbPath field has the value of 01abc2345def6789.dat; the file is located at ...\Skype\SkypeUserName\Chatsync\01\
  • Messages
    • Provides a Convo_ID to map to Conversations table, Videos table and others.
    • Provides ChatName to map to the Name field in the Chats table.
    • Notes the SkypeName of the Author of the message.
    • Provides the message detail in the Body_XML field. This is the most important field... this is the message sent from one party to another!

Timestamps

The timestamps in main.db follow a format based on UNIX. You will need to convert these timestamps into a human-readable values. For example, the value '1325900664' represents January 6, 2012 8:44pm. I use the following equation in Excel to convert the dates (assuming the Timestamp value is in cell B3):
=IF(B3="","",(B3/86400)+25569+(-5/24))

The IF statement states that if there is no value for Timestamp, then no value should be returned. If there is a value in the Timestamp field, the equation should be executed.

In SQL queries the date is converted using the datetime function. The format of the function is as follows:

datetime(timestamp_field,'unixepoch')

A query to start off with

Not everyone can write SQL queries, but they should! Here is a simple sample query to get you on your way. This retrieves all contacts sorted by the number of times they appear in the participants table:

select c.skypename
         ,c.fullname
         ,c.country
         ,c.province
         ,c.city
         ,c.phone_home
         ,c.phone_office
         ,c.phone_mobile
         ,c.main_phone
         ,c.emails
         ,c.verified_email
         ,datetime(c.lastused_timestamp,'unixepoch') lastused_timestamp
         ,count(p.identity)
from contacts c
    ,participants p
where c.skypename = p.identity
group by c.skypename
         ,c.fullname
         ,c.country
         ,c.province
         ,c.city
         ,c.phone_home
         ,c.phone_office
         ,c.phone_mobile
         ,c.main_phone
         ,c.emails
         ,c.verified_email
         ,datetime(c.lastused_timestamp,'unixepoch')
order by count(p.identity) desc


What's the deal with Chatsync?


The Chatsync folders also contribute a great deal. The main.db database includes pointers to the ".dat" files in the Chat table. I believe that these folders within Chatsync are used to store nodes of information which is retrieved by the Skype application when the chat data is needed. It's sort of like an extended memory to save information about the chat. I do know the Chatsync files are not inclusive of all the information presented in the main.db Chat table and I have found data present in the Chatsync files not present in the main.db tables.

Forensics

Reading the Main.db file with a SQLite utility and the Chatsync files are of limited use when trying to recover data that has been deleted. As I stated in this earlier article, the best approach is to read Main.db with a hexadecimal reader to recover partial records of deleted messages, video calls, voice calls, chats and other data. The Chatsync files are of limited worth as these appeared, in my experience, to have been deleted with more regularity than the old data in main.db was overwritten by new data.

Other Tools

The other helpful tools to user are SkypeLogView and SkypeChatsyncReader. I discussed these in my earlier post:

SkypeLogView

The good people at NirSoft have provided a tool for analyzing the Skype database files for call logs, chats, etc. It is a very handy tool but much more data can be gathered using HxD.

SkypeChatsyncReader

A utility created by Rasmus Riis Kristensen from the Computer Crime Unit of Danish National Police. This tool reverse engineered the location of data in the .dat files of Skype.

Conclusion

The Main.db file is a useful source of data IF a deletion of data has not occurred. The presentation of files from a SQLite database browsing utility can provide a well-formatted view into Skype usage. Please remember that carving the Main.db file with a hex editor will yield data that has been deleted by the user. However the presentation of this deleted data is nowhere near the organized output of the Main.db file.

-- DNS
Posted by at 26 comments:
Labels: , , , , , , , , ,

Wednesday, May 30, 2012

Skype

Where would the wayward spouses of this world be without Skype?

Skype Primer

Skype is an IM/chat/voice/webcam platform now belonging to Microsoft. There are no public chat rooms, ala AOL, but users can create a group and invite other users to join. Files can be shared between users and groups and desktops can be shared.

Skype Guts

Skype is a platform based on SQLite3 databases (like Chrome and Firefox). The files for Skype in Windows Vista and 7 are normally located at C:\Users\USER\AppData\Roaming\Skype. In this directory, you'll see the Skype user name set up as a folder. You'll have one such folder for every Skype user to log in through that computer. Clicking on the Skype user name, you are presented with the data files for that user.

You will see the following folders:
  • chatsync
  • httpfe
  • voicemail
You will also see the following files:
  • bistats.db
  • config.xml
  • dc.db
  • griffin.db
  • keyval.db
  • main.db
  • msn.db
You may also see several .db-journal files. These are temporary files SQLite uses to perform a rollback.

Brass Tax

The main.db file is the primary focus here. According to the SQLite3 documentation at www.sqlite.org:
A database file might contain one or more pages that are not in active use. Unused pages can come about, for example, when information is deleted from the database. Unused pages are stored on the freelist and are reused when additional pages are required.
This means when the user deletes records, they're marked inactive. NOT removed from the main.db file. The deleted records sit in unallocated memory. They are, however, overwritten with new data. This means you should copy that file ***now*** before any old data is truly gone. Once overwritten, it cannot be retrieved.

Richard Drinkwater, blogger at Forensics from the Sausage Factory wrote a brilliant article in April 2011 titled Carving SQLite Databases from Unallocated Sectors. He posited it could be possible to write a parsing program to retrieve these "inactive" pages in a systematic manner utilizing the SQLite header information. That's beyond my skills... but like any good caveman with a blunt instrument, it just takes the right amount of brute force to get through it.

Using the HxD Hex Editor, you will be able to open that main.db file and translate the machine code to text. There will be plenty of garbage characters and the data will be in a somewhat random order. If you're lucky enough you will have been able to catch a good bit of data that the user believes they've deleted for good.

From windows explorer, right click the target main.db file and select Open With... Pick HxD Hex Editor to open the file. In HxD, click View then Select Visible Columns, check Text Only. Click File, then Export and select to export the "Editor View". You now have a more-or-less human readable record of all the IMs, chats, file sharing and records of web cam sessions. Import into Excel and search for your favorite keyword.

You may want to use a tool called Windows Grep to pull out all references to a user, keyword, or conversation code. This is a shareware app and they request you purchase a license after evaluating the tool.

Inside Main.db

For user-to-user messages, the syntax used in main.db to identify the sender of a message is the hash (#), then Skype user name, then slash (/). The receiver is preceded by the dollar ($). A 16 digit alphanumeric conversation code is present as well. If you only see the conversation code then it came from a user that has since been blocked/removed or is a message sent to a group.

The leading two characters of the conversation code also appear as sub-folders within the Chatsync folder. Additional data is presumably stored in these files related to the conversation. The conversation folders in Chatsync may be empty where a conversation has been deleted by the user.

Other Handy Tools

Since main.db is a SQLite database, you can open and copy tables using SQLite Database Browser. Unfortunately, only active records are read by the database viewer. You will not see all of the records the user tried to delete.

SkypeChatsyncReader
This application reads the .dat files in the Chatsync folder and tries to reintegrate the conversations. Unfortunately, I have not had much luck with the application reading all of the deleted data. I have found that the delete process in Skype appears to clean up the .dat files before addressing main.db.

One useful aspect of this tool will provide the members belonging to a group conversation. That is, if the Chatsync files are present.

SkypeLogView
This application will provide a handy list of all messages in and out of the account. It includes voice and video. Unfortunately, it doesn't read the deleted records in the unallocated memory.

Video Chat/Voice

There is nothing able to retroactively recall the contents of a video chat or a voice call. The chat session is done on a peer-to-peer basis and the content of the session is not stored. The metadata surrounding the session (participants, time, video quality, etc) may be found in main.db but there are no saved video or audio files.

There are several add-ons around that allow a Skype user to record calls and video but it is user-initiated and is not a stealthy operation. There are rumors of a trojan virus which does record audio. This is far beyond the scope of this blog entry. I wouldn't ever recommend intentionally installing a virus on any machine.

Conclusion

Get a copy of main.db now! Run it through HxD and see what kind of deleted data you can retrieve. If your partner hasn't deleted data, SkypeChatsyncReader and SkypeLogView are excellent tools to review the contents of their Skype history.

Please post questions or comments. Also, let me know if you found a tool to read from the unallocated memory of that pesky Skype main.db file.

---DNS
Posted by at 2 comments:
Labels: , , , , , , , , ,

Tuesday, May 29, 2012

Computer Pseudo-Forensics; Tools

Where to start? Disclaimers!
1. I'm not a computer tech/analyst
2. I'm not a lawyer
3. Follow your own judgment before trying anything here. See #1 and #2 above.

Computer forensics is a scientific field of analyzing and preserving digital information to support legal matters. Police forensics analysts seize computers, phones, servers from bad guys and search them for kiddie porn, bootlegging, and details of illicit financial transactions. Lawyers often refer people to private investigators to perform computer forensics in civil matters such as divorce. Lots of information can be gained from computer forensics and to be admissible as evidence it most definitely has to be done by an independent party. Given that, what I'm describing in these blog posts falls far short of the professional definition of forensics. That's why this post is titled Pseudo-Forensics.

There are an almost infinite combination of computer platforms, operating systems, and programs. I'm not familiar with every system. Most work I have done is based on Windows XP, Vista and 7.

Tools
Here are some handy tools. Most are free or low-cost and download links are provided in the hyperlinked name of the tool, below.
1. HxD Hex Editor
HxD is a free hex editor. It allows you to translate the hexadecimal code of machine language into text. This is handy for viewing files where a cached value maybe hiding. Very useful for looking at Skype's databases.
2. SQLite Database Browser
The SQLite Database Browser is a free tool useful for exploring the SQLite databases behind the scenes of Skype and several popular browsers.
3. ChromeAnalysis, FoxAnalysis
The good people at Foxton Software have provided a freeware version of their browser analysis tools. The pay versions have many more features but weigh-in at £68.
4. ChromeCacheView, IECacheView, MozillaCacheView
The good people at NirSoft have compiled some free utilities to view the contents of popular browsers' cache folders. The contents provide URL, accessed date and give an option to extract to a folder to view the contents (useful for cached images!)
5. SkypeLogView
The good people at NirSoft have provided a tool for analyzing the Skype database files for call logs, chats, etc. It is a very handy tool but much more data can be gathered using HxD. This will be the content of a future post.
6. SkypeChatsyncReader
A utility created by Rasmus Riis Kristensen from the Computer Crime Unit of Danish National Police. This tool reverse engineered the location of data in the .dat files of Skype.
7. PCWin Recovery
The good people at Frontier DG have a tool (about $10, I believe) which can be loaded onto a USB drive and will reset the Windows password. This is hardly a stealth operation... it wipes out the password.
8. MiniTool Power Data Recovery
The good people at MiniTool have an application which can recover deleted files from the PC, SD Cards and USB drives. The trial version allows 1GB to be recovered free. The cost of the software is around $65.
9. Thumbs.db Viewer
The good people at Janusware have created a utility to view all of those little thumbnail pictures that are created in Windows. These thumbnail images often exist long after the file itself was deleted. They offer a trial version which is relatively useless. The product costs $25 and is recommended.
10. OSForensics
The good people at Passmark Software have put out a freeware forensics suite. It is feature-heavy with the ability to clone a drive without accessing the OS, virtual drive mounting and data carving tools. However, the tool set is complicated for a non-forensic analyst to use. The pay version is about $500 and allows multiple file export, performance enhancement, unlimited data indexing and other useful features.

Spyware
We've talked mostly about looking at past data records. Monitoring and spyware will be the subject of a future post.

--- DNS
Posted by at No comments:
Labels: , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)