I’d been doing a bit of work with EnCase to optimize my configuration and minimize the amount of work required to view various file types or extract specific data from them. The results from this are a list of applications and a few associated options for use in employing them as viewer plugins for your forensic tool of choice.
1. Regripper
This tool, developed and maintained by Harlan Carvey, author of Windows Forensic Analysis, is a great all-purpose registry data extractor. It has many different plugins that handle extraction of different information, and I believe that Harlan updates it frequently. I sometimes browse its output by eye when digging for things that are frustratingly nonspecific.
It’s a command-line-only utility, but you can run it from within a GUI tool such as Encase by specifying CMD as the actual command, and then putting the meat into the options, such as “/c cd /d fullpathregripper&rip -r [file] -f sam&pause” this will dump the text output into the buffer of the CMD shell (which will, of course need its default size expanded), then pause until the user hits the spacebar. You can copy and paste items of note out of the buffer while it’s open if desired. I have 6 different lines of this nature in my Encase configuration to deal with the various different registry file types supported by regripper.
2. NavRoad Offline HTML Browser
Often, html files recovered from a subject’s browser cache won’t display properly in a browser because of missing content that’s expected to be downloaded directly. NavRoad gets around that, and will usually format all of an html document’s content for display.
3. 7zip
The 7zip archive browser, 7zFM, is a great way to deal with a large assortment of archive formats which may or may not be directly supported by your forensic tool of choice.
When examining downloaded multimedia web content, you often come across downloaded shockwave flash (.swf) movies. This application allows them to be played normally.
FLV is a different flash video format. I’ve found it typically used for youtube content.
6. VideoLAN VLC
I’ve found this open source multimedia player application to be one of the most reliable ways to play almost any audio/video content. There’s no need to download any special codecs. The only things I’ve found so far that it won’t play are flash and some of the realmedia formats. It may also have issues with DRM protected files, but I haven’t run into any yet.
7. RealPlayer
As mentioned above, VLC has issues with some of real.com’s special formats, so I also include their player as a viewer.
There are a number of applications that store cache or configuration data in the sqlite database format. I’ve mentioned a couple of them in previous blog postings. This application lets you examine the data contained in such a database directly.
9. Exiftool
I originally obtained this tool specifically for extracting embedded metadata from within .jpg files. I’ve since discovered that it also does a pretty good job on MS Office documents, and examination of the documentation shows that it supports a plethora of other file types.
10. AccessPDF pdftk
This tool is specifically designed to extract metadata from within PDF documents. Like regripper above, it’s a command-line-only tool, so executing it from within a GUI application takes some finagling. As with regripper, I use CMD as the application, and put the meat in the options, “/c fullpathpdftk-1.12pdftk.exe [file] dump_data output - & pause”.
Another GUI application for extracting metadata from MS Office documents.
I dug up this utility while working on analyzing the content of gmail datapack files. It’s able to take the text from one of those files and format it so that it’s easy to make visual sense of. I don’t use it a lot, but I think it’s handy.
13. Extract
Extract is a command line utility that’s provided as part of the open-source libextractor library for linux. It’s what metagoofil uses to extract metadata, and was the first metadata viewer that I attempted to install. By dint of much persistence, I was able to compile it under Windows using the current version of cygwin. I also had to download and install the following packages (most of them were just trying to get PDF extraction to work, and not all of them may have actually been necessary): freetype-2.3.1, lesstif-0.95.0, libgsf-1.14.10, libmpeg2-0.5.1, t1lib-5.1.0, xpdf-3.02. This may or may not actually be worth the work, as I’m not sure that it extracts any data that the other metadata viewers I’ve found since (see above) do not.
14. Please add comments with file types you can’t browse, or file browsers that you think are useful
I’ll start the ball rolling. I’m looking for something I can use to play .qtch Quicktime cache files. Alternatively, I’d like to at least be able to determine what the URL download was that caused the creation of the cache file. Does anybody know anything that can be done with these files?
As always, you’re also welcome to leave commentary if you liked this article or want to call me on the carpet for some inaccuracy.
John McCash, GCFA Silver #2816, is currently a Forensic Investigator employed by a fortune 500 telecommunications equipment provider.
fuente:http://sansforensics.wordpress.com/2008/12/17/windows-viewers-information-extractors-for-various-file-types/
Entradas
No hay comentarios:
Publicar un comentario