Digital Forensic Data Recovery & Analysis

Understanding Microsoft Internet Explorer Cache

June 16th, 2010 Posted in Forensic Examinations, NetAnalysis, Web Browser Forensics
Jun, 16 2010
No Comments »
The Internet Explorer disk cache is a storage folder for temporary Internet files that are written to the hard disk when a user views page from the Internet.

Internet Explorer uses a persistent cache and therefore has to download all of the content of a page (such as graphics, sound files or video) before it can be rendered and displayed to the user.

Even when the cache is set to zero percent, Internet Explorer requires a persistent cache for the current session.  The persistent cache requires 4 MB or 1 percent of the logical drive size, whichever is greater.

 
 
Disk Cache Storage Location

The disk cache location varies across operating systems and can usually be found in the following default locations:

 
Digital Detective NetAnalysis Cache Location Windows 98
 
Figure 1
 
Digital Detective NetAnalysis Cache Location Windows 2K and XP
 
Figure 2
 
Digital Detective NetAnalysis Cache Location Windows Vista and 7
 
Figure 3
 
To identify the correct location of the cache for each user, the registry hive for the particular user must be examined.  You cannot rely upon the live cache folder being in the default location.  Figure 4 shows the registry key containing the cache folder location.  Users have been known to move their cache location in an attempt to hide browsing activity.
 
 
Digital Detective NetAnalysis Cache Examination Shell Folder Location
 
Figure 4
 
 
The “User Shell Folders” subkey stores the paths to Windows Explorer folders for each user of the computer.  The entries in this subkey can appear in both the “Shell Folders” subkey and the “User Shell Folders” and in both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.  The entries that appear in user “User Shell Folders” take precedence over those in “Shell Folders”. The entries that appear in HKEY_CURRENT_USER take precedence over those in HKEY_LOCAL_MACHINE.

Temporary Internet Files Folder Structure

Within the Temporary Internet Files folder, you will find a Content.IE5 folder.  This folder is the main disk cache for Internet Explorer.  Outlook Express also writes data to this location as is explained later in this article.

Inside the Content.IE5 folder, you will find a minimum of 4 cache folders.  The file names for these cache folders comprise of 8 random characters.  When further cache space is required, Internet Explorer will add additional folders in multiples of 4.  Figure 5 shows the layout of a typical Internet Explorer disk cache. 

 
 
Digital Detective Windows Forensic Analysis Microsoft Internet Explorer Cache Folders
 
Figure 5
 
 
Content.IE5 INDEX.DAT File

The cache INDEX.DAT file is a database of cache entries.  It holds information relating to individual cached items so that the browser can check whether the resource needs to be updated (eTag) and information relating to the location of the cached item.  It also stores the HTTP (Hypertext Transfer Protocol) response header for the resource.

At the start of the INDEX.DAT file, you will find a zero based array holding the names of the cache folders.  Each individual URL record contains an index value which refers to a specific folder in the array.  This allows Internet Explorer to correctly identify the location of a cached item.  This can be seen in Figure 6 below.

 
 
Digital Detective NetAnalysis INDEX.DAT Forensic Analysis
 
Figure 6
 
 
Cache File Naming Convention

As files are saved to the cache, Internet Explorer uses a specific naming convention as shown in Figure 7.  The only exception to this rule is when data is written to this location by Outlook Express.

 
 
Digital Detective Forensic Analysis of Internet Explorer Cache Naming Convention
 
Figure 7
 
 
As pages and resources are cached, they can easily end up in different folders.  Internet Explorer attempts to keep the volume of data and number of cached items across each cache folder as level as possible.�

As Internet Explorer writes files to the cache folders, it checks to see if a file with the same name already exists.  This is frequently the case when web developers do not use imaginative or descriptive names for their files.  If the file already exists within the folder, Internet Explorer will increment the counter.  If no file exists, the counter portion of the file name is set to 1.�

Files with the same naming structure within a cache folder do not necessarily belong to the same web site.  Also, multiple visits to the same web site can easily result in files with similar naming conventions being spread across all the cache folders.  Cached resources can also become orphaned when the INDEX.DAT entry is not written to disk (such as when Internet Explorer crashes before the entries are written).  Figure 8 shows a typical cache folder.  There are two files within this folder which would have had the original name “images.jpg”.  Internet Explorer has renamed them “images[1].jpg” and “images[2].jpg”.

 
 
Digital Detective Internet Explorer Forensic Cache Analysis Folder Structure
 
Figure 8
 
 
Outlook Express Email Client

Microsoft Outlook Express also uses the Content.IE5 folder as a temporary cache.  When a user selects an email message within the client, Outlook Express reads the data from the corresponding DBX file and caches the components of the email so that it can be rendered on screen for the user as an email message.�

The structure of the DBX files is such that the email message is broken down into blocks and has to be rebuilt before it can be rendered.  If the message contains any attachments, they are stored in Base64 format and stored within the file.  The attachments also have to be extracted, decoded and cached prior to rendering on screen.

As the message is rebuilt, Outlook Express saves the different elements of the message to the disk cache as a temporary file.  The naming convention is different to Internet Explorer.  In the past, some forensic examiners have not been aware of this and have incorrectly attributed data in the cache to a visit to a web page when it in fact was there as the result of viewing an email message.�

The file structure is shown in Figure 9.  The asterisk values represent hexadecimal digits.  Figure 9 also contains some example file names.

 
 
Digital Detective Forensic Analysis of Internet Explorer Cache Outlook Express Temporary File Naming Convention
 
Figure 9
 
 
Useful Links
, , , , , , ,
Read More

Microsoft Internet Explorer Daily/Weekly INDEX.DAT Files

June 15th, 2010 Posted in Forensic Examinations, NetAnalysis, Web Browser Forensics
Jun, 15 2010
No Comments »

Microsoft Internet Explorer maintains a number of INDEX.DAT files to record visits to web sites as well as to maintain cache and cookie data.  In this article, we will look at the Daily and Weekly files. 

Daily INDEX.DAT Entries

The Daily INDEX.DAT file maintains a Daily record of visited pages.  This INDEX.DAT file has an unusual HOST record entry which helps the investigator analyse the pattern of visits to a particular web site. 

The HOST record entry is used by Internet Explorer to display the hierarchical history structure when showing the user which web sites have been visited.  Each record contains a number of timestamps with the important data being stored in a FILETIME structure.  This timestamp structure contains a 64-bit value representing the number of 100-nanosecond intervals since 1st January 1601 (UTC).  The Digital Detective DCode utility can be used to convert these and other timestamp formats.

On the first daily visit to a particular web site, Internet Explorer creates a HOST entry in the INDEX.DAT record.  In effect, this entry represents the first visit to a particular HOST on specific day.  With further visits to the same web site, the HOST entry remains unchanged.  Examining the entries for the Daily INDEX.DAT will show when a web site was first and last visited during the period.  Figure 1 below shows an example of this when using the HOST filter view in NetAnalysis to look for visits to the Digital Detective web site.

NetAnalysis_Daily_Index.dat_Entries

Figure 1

Daily INDEX.DAT Timestamps

The Last Visited timestamp information is stored as two 64-bit FILETIMES located at offset 0×08 and 0×10 (Decimal 8,16).  They are stored as UTC and Local time values.  As there is no requirement to alter these timestamps, they are presented in an unaltered state in NetAnalysis as the “Last Visited [UTC]” and “Last Visited [Local]” columns.  Figure 2 and 3 summarise these timestamp values.

Digital_Detective_NetAnalysis_Daily_Timestamp_1

Figure 2

Digital_Detective_NetAnalysis_Daily_Timestamp_2

Figure 3

Establishing the Time Zone ActiveBias

As the URL records contain UTC and Local timestamps, it is possible to establish the Time Zone ActiveBias by establishing the time difference between both timestamps.  We discussed in a previous article on manually establish the system Time Zone settings.  The calculated ActiveBias information is represented in NetAnalysis by the ActiveBias column as shown in Figure 4.

Digital_Detective_NetAnalysis_ActiveBias_Column

Figure 4

NetAnalysis further uses this information to confirm the selected Time Zone is correct.  If the Time Zone ActiveBias is in conflict with the Time Zone setting in NetAnalysis, the resulting timestamps may not be represented accurately.  The calculated ActiveBias is logged to the Audit Log as shown in Figure 5. 

Digital_Detective_NetAnalysis_Audit_Log

Figure 5

If NetAnalysis detects that the Time Zone settings for the current forensic investigation are not correct, a warning dialogue will be shown immediately after the data has been imported.  Figure 4 shows the warning dialogue.

Digital_Detective_NetAnalysis_Time_Zone_Warning

Figure 4

Examination of the ActiveBias column will show which entries are in conflict with the Time Zone Settings.

Weekly INDEX.DAT Entries

At the commencement of a new browsing week, the content from the Daily INDEX.DAT files is archived into a single Weekly INDEX.DAT file.  The actual timestamp information within the binary file changes for this file type when compared to the other files.

When the Weekly INDEX.DAT file is generated, the file created timestamp is saved at offset 0×10 of every URL record.  This is different to the other INDEX.DAT records as this location usually represents the Last Visited UTC Timestamp.  Many applications (including some software which claim to be for forensic purposes) get this wrong and misrepresent this timestamp as the “Last Visited Date”. 

This timestamp is in FILETIME format and is saved as a UTC value.  This timestamp is presented within NetAnalysis in the “Date Index Created [UTC]” column.

The last visited timestamp is saved at offset 0×08 within the record as a LOCAL timestamp.  This is unusual, as FILETIME timestamps are normally saved as UTC values and the other INDEX.DAT files all contain a Last Visited timestamp with a UTC value.  With this timestamp, NetAnalysis takes the unaltered LOCAL time and saves it to the “Last Visited [Local]” column.  Unfortunately, the Last Visited UTC FILETIME value which was present in the Daily INDEX.DAT is not saved within the record and therefore has to be converted from a Local timestamp.

To calculate the UTC timestamp for the “Last Visited [UTC]” column, NetAnalysis takes the LOCAL timestamp at record offset 0×08 and converts it to UTC.  This conversion is calculated using the Time Zone value set in NetAnalysis prior to importing any data.  In doing so, dynamic daylight settings are also taken into account (as well as any year on year differences).

If a Weekly record is imported with the “No Time Zone Date/Time Adjustment” setting activated, NetAnalysis will show the LOCAL Last Visited timestamp but will not attempt to calculate the UTC timestamp.  In this case, the “Last Visited [UTC]” column will remain empty.  The “Last Visited [Local]” timestamp for Weekly entries is not changed or affected by NetAnalysis Time Zone settings.  It is left in an unaltered state.

Weekly INDEX.DAT Timestamps

The timestamp representation in NetAnalysis is shown in Figure 5 and 6 below.

Digital_Detective_NetAnalysis_Weekly_Timestamp_1

Figure 5

Digital_Detective_NetAnalysis_Weekly_Timestamp_2

Figure 6

Useful Links

, , , ,
Read More

How to Bookmark Records with NetAnalysis

June 12th, 2010 Posted in Forensic Examinations, NetAnalysis
Jun, 12 2010
No Comments »

Once you have loaded your browser history and cache data into NetAnalysis, you will begin the reviewing process looking for items of evidence which either support or undermine your current investigation.  During your review, you will identify URL records of interest which you may wish to produce in an evidential form. 

This article looks at the bookmarking process and explains how to print a summary report.  To demonstrate this, we shall use an example investigation involving the purchase of illegal firearms over the Internet.

Bookmarking

The first method we will look at is bookmarking.  NetAnalysis has a facility to allow individual records to be bookmarked.  Bookmarking allows the forensic investigator to add a text description to a specific record which can be later printed in a report. 

In this first example, we will look at the Google searches conducted by our suspect.  To filter the searches, press F8 to open the filter form and enter “Google” as a filter keyword.  Figure 1 shows the resulting search.

NetAnalysis_Search_Result

Figure 1

We can see that the first record returned contains a Google search for the phrase “sig sauer auto”.  As this URL shows our suspect searching for firearms, we will bookmark this search.  There are three possible ways to bookmark a search:

• Press the “enter” or “return” key
• Select “Add / Edit Bookmark” from the Bookmark menu; or
• Right click on the record and select “Add / Edit Bookmark”

This will then open the bookmarking window which can be seen in Figure 2.  As you can see, the form is split into two text areas.  The top text box contains a decoded version of the URL record.  The examiner will see a representation of the URL record with any encoded characters removed.  Any Name|Value pair data is also split to make the record easier to understand.

NetAnalysis_Bookmark_URL_Record

Figure 2

The text box in the lower half of the form is where you can add the bookmark information for this record (as shown in Figure 3).

NetAnalysis_Bookmark_URL_Text

Figure 3

Click OK to save this bookmark.  Now that this record has a bookmark entry associated with it, the bookmark icon will appear at the start of the URL record, as shown in Figure 4.

NetAnalysis_Bookmark_Icon

Figure 4

Advanced Evidence Report

The Advanced Evidence Report is a summary report which will show the current filtered list.  To filter only records containing bookmarks, select CTRL + F9 or select “Filter Records with Bookmarks” from the Filter menu. 

The report can be run by selecting Reports >> Advanced Evidence Report >> Preview Report or pressing CTRL + R.  The report will provide a summary of the important fields within the record and show the bookmark text (as highlighted in Figure 5).

NetAnalysis_Advanced_Report

Figure 5

References

 

,
Read More

Manual Identification of Suspect Computer Time Zone

June 4th, 2010 Posted in Forensic Data Recovery, Windows Analysis
Jun, 04 2010
No Comments »

In a digital forensic examination, establishing which Time Zone the system had been set to should one of the first examination tasks.  If this information is not established at an early stage and taken into account, the validity of Date/Time evidence may be brought into question.  Not only is this true for the examination of Browser History and related artefacts, it is also important when examining file system metadata.

I also believe this is something every examiner should be able to do manually, as opposed to relying on point and click or script forensics.  Whilst point and click certainly has a place and software tools can greatly increase the efficiency of the examination process, digital forensic practitioners need to possess the skills and ability to verify the results. 

Some Date/Time values stored in binary files are affected by the Time Zone setting of the original suspect computer and many digital forensic applications can alter the representation of these dates by the Time Zone setting of the forensic workstation. 

This becomes particularly complicated when the suspect computer was set to an incorrect Time Zone and the computer clock was set to correspond to the Local Time Zone.  Many of the Date/Time stamps store the data as UTC values.  In such circumstances, the Operating System (or application) has to convert the value from Local time to UTC.

Case Example

This was demonstrated in a case I was asked to review a number of years ago.  A computer had been seized as part of an investigation into abusive images of children.  The police had examined the computer correctly and the individual involved had been charged with offences under the Protection of Children Act 1978. 

A defence expert examined the forensic image from the computer had declared in his report that the police had tampered with the evidence and alleged that they were responsible for the illegal material as the Date/Time stamps show the material was created on the disk some four hours after it had been seized by police.

My initial examination revealed that the defence expert had not established the Time Zone settings for the system nor had he taken them into account during his examination and subsequent report.  If he had, he would have seen that the system was incorrectly set to Pacific Time and not GMT.  As far as the Operating System was concerned, the system was in Pacific Time and added 8 hours to the Local times to convert them to UTC.  This resulted in the Date/Time stamps being 8 hours in advance of the correct time.

When the defence expert stated the computer had illegal material written to the disk after the system was seized, it was in fact that this had happened some 4 hours prior to the warrant being executed at the home of the suspect.

Establishing the Current Time Zone

To establish the Time Zone setting for a Microsoft Windows system, the forensic examiner can examine the SYSTEM registry hive.  To do this, you need to establish which ControlSet was active when the computer was seized.

Time_Zone_Registry_Key

Figure 1

There you will find 4 keys detailing the Current, Default, Failed and LastKnownGood control sets.  The current control set in the screen below is set to 3.  You can also see the there are three ControlSets numbered 001 to 003.

Registry_Current_Control_Set

Figure 2

Now that this current control set has been identified, we can navigate to that location in the registry and calculate the different values as stored.  In this case, the Time Zone settings are stored here:

ControlSet003

Figure 3

The Time Zone Information for this Control Set is shown in Figure 4.

TimeZoneInformation_Registry

Figure 4

The keys are explained below.  Please note that the bias settings are stored in minutes as a signed integer.  The bias is the difference, in minutes, between UTC and local time.  All translations between UTC and local time are based on the following formula:

TimeZone_Formula

Figure 5

ActiveTimeBias

This value is the current time difference from UTC in minutes, regardless of whether daylight saving is in effect or not.  It is this value that helps establish the current Time Zone settings.  Using the formula above, take this value and add it to local time to get the UTC value.
 

Bias

This value is the normal Time difference from UTC in minutes.  This value is the number of minutes that would need to be added to a local time to return it to a UTC value.  This value will identify the Master Time Zone (Standard Time).
 

StandardBias

This value is added to the value of the Bias member to form the bias used during standard time.  In most time zones the value of this member is zero.
 

DaylightBias

This value specifies a bias value to be used during local time translations that occur during daylight time.  This value is added to the value of the Bias member to form the bias used during daylight time.  In most time zones the value of this member is –60.
 

DaylightName

The Operating System uses this name during daylight saving months to display the current time Zone setting.
 

DaylightStart

Binary data in SYSTEMTIME structure used to identify the date/time that Daylight Saving will commence in this time zone.
 

StandardName

The Operating System uses this name during daylight saving months to display the current time zone setting.
 

StandardStart

Binary data in SYSTEMTIME format used to identify the date/time that Standard Time will commence in this time zone.
 

DisableAutoDaylightTimeSet

This will only be visible if the setting to automatically adjust clock for daylight saving has been switched OFF.

Calculating Signed Integer Bias Values

Within digital systems, all data, whether they be numbers or characters are represented by strings of binary digits.  A problem arises when you want to store negative numbers.

Over the years, hardware designers have developed three different schemes for representing negative numbers: sign and magnitude, ones complement, and twos complement.  The most common method for storing negative numbers is twos complement.  With this method, the Most Significant Bit (MSB) is used to store the sign.

If the MSB is set, then this represents a NEGATIVE number.  This method affords natural arithmetic with no special rules.  To represent a negative number in twos complement notation the process is simple:

• Decide upon the number of bits (n)
• Find the binary representation of the +ve value in n-bits
• Flip all the bits (change 1 to 0 and vice versa)
• Add 1

Figure 5 below shows the binary representation of the positive number 5.

Positive_Binary_Number

Figure 5

To represent this as a negative number (using 8 bits) then the procedure above is followed.  Flip the bits as shown above and add one as shown in Figure 6.

Negative_Binary_Number

Figure 6

This method makes it extremely easy to add positive and negative numbers together.  For example:

Binary_Addition

Figure 7

It also makes it extremely easy to convert between positive and negative numbers:

Converting_Binary_Numbers

Figure 8

ActiveTimeBias

If we look once again at the ActiveTimeBias in Figure 9, you will see a signed hexadecimal value.  This can be calculated using twos complement.

Singed_Value

Figure 9

This value is stored in hexadecimal as a 32 bit value, so to work out the value it will need to be converted to binary.  Ignore the fact that on this occasion, the registry editor is showing the decimal value (4294967236) next to it; this is purely because the registry editor does not realise the value has been stored as a signed integer.

The twos complement calculation is as follows:

Singed_Integer

Convert this to binary:

Calc2

The MSB is set so we know that the above value will be negative.  The next stage is to flip all the bits.  This involves changing 1 to 0 and vice versa.  This can be achieved quickly using the logical NOT function on a scientific calculator.  You must ensure that it is set to deal with the correct number of bits.

Calc3

Add 1 bit to the value above

Calc4

And then convert that value back to decimal, remembering that we are dealing with a negative number:

Calc5

TimeZone_Note

Daylight Saving / Standard Time Start Dates

Looking at Figure 10 below, you can see two keys entitled DaylightStart and StandardStart.  They hold encoded data showing the exact commencement date/time of Daylight Saving and Standard Time.   To establish when daylight saving starts and ends, both keys will need to be decoded.

Registry_DaylightStart

Figure 10

SYSTEMTIME Structure

This data is stored in a common structure called SYTEMTIME. This structure specifies a date and time, using individual members for the month, day, year, weekday, hour, minute, second, and millisecond.

SYSTEMTIME_STRUCTURE

Figure 11

The data in DalylightStart is as follows:

Daylight_Start

Figure 12

Bytes 0 & 1 (0×0000 ) refer to the year from a 1900 time base.  This is only required if the change is year specific and will normally be zero.

Bytes 2 & 3 (0×0003 ) refer to the month, in this case March.

Bytes 4 & 5 (0×0005) refer to the week (starts at 1 and 5 means last).  In this case the last week.

Bytes 6 & 7 (0×0001) refer to the Hour.  In this case it is 0100 Hours.

Bytes 8 & 9 (0×0000) refer to the Minutes.  In this case it is Zero minutes.

Bytes 10 & 11 (0×0000) refer to the Seconds; in this case it is Zero seconds.

Bytes 12 & 13 (0×0000) refer to the Milliseconds, in this case it is Zero milliseconds.

Bytes 14 & 15 (0×0000) refer to the actual Day of the Week (Sunday = 0).  In this case it is Sunday

For our example in Figure 12, Daylight Saving Time (DST) will start on Sunday of the Last Week in March at 0100 Hours.  If we had decoded StandardStart, we would see that DST would end on Sunday of the last week of October at 0200 hours.

Links and References

, , ,
Read More

Understanding and Creating Blade Data Recovery Profiles

June 3rd, 2010 Posted in Blade, Forensic Data Recovery
Jun, 03 2010
No Comments »

To recover data with Blade, you can either use the built-in recovery profiles stored in the global profiles database or create your own bespoke recovery profile.  You do not have to possess programming knowledge to do this as with other tools.  Blade was designed so that complicated data recovery profiles could be designed quickly for effective data recovery.

 

Blade has access to two separate recovery profile databases.  The global database cannot be altered by the user and contains profiles created and distributed as part of the software.  From time to time, we will update and add to these profiles as a result of research and development.  It also allows us to create additional validation routines for specific profiles in the database. 

  

For example, the JPEG image recovery profile in the global database invokes a comprehensive validation routine to assist with accurate recovery.

 

The personal recovery profile database can hold profiles created by the user, recovery profiles copied from the global database and imported recovery profiles from colleagues and other practitioners.

 

 

Elements of a Recovery Profile

 

As you can see from the screen below, there are a number of elements which make up a recovery profile.  Blade has the ability to use more than just header/footer recovery and employs a powerful regular expression engine.

 

 

Blade_Personal_Profile_Database

  

Figure 1

 

 

Wikipedia defines them as: “Regular expressions, also referred to as REGEX or REGEXP, provide a concise and flexible means for matching strings of text, such as particular characters, words, or patterns of characters.”

 

Regular expressions allow you to create powerful recovery profiles which are capable of looking for patterns rather than specific bytes.  Some of the patterns can be extremely complicated.  Blade comes with its own Regular Expression testing utility so that signatures can be tested prior to use.

 

 

Creating a New Recovery Profile

 

With the personal recovery profile database open, click on the Add New button located on the main toolbar.  This will create a new empty profile.  We will go through each section individually so we can explain each field and create an example profile to recover Bitmap images.

 

The first pane contains the summary information for this profile.  It also contains information to allow this profile to store version information for profile version management.

 

 

Blade_Forensic_Data_Recovery_Profile

  

Figure 2

  

  

The first field is the description field.  This is the string data which will be displayed in the list of recovery profiles.  This string should be unique.  If you do happen to accidently enter a description which has already been entered, Blade will append a counter to the end of the description to ensure it remains unique.  In this field, enter the text “Example Bitmap”.

 

The File Extension field holds the extension used by Blade when it writes out any identified data.  In this field enter the text “BMP”.  There is no need to enter the dot character.

 

The category field is used to group similar types of recovery profiles.  Blade automatically generates a number of common file types and also allows you to create your own group names.  In this field, select “Graphic File Types”.

 

The author field contains a string which identifies the original author.  When you add a new profile, this field automatically defaults to the name of the licensed user or agency which is stored in the USB licence dongle.  This field can be altered at this point if you wish.

 

The date field is read only and will be automatically updated to reflect the last modified date/time for this recovery profile.  The date is in ISO format.

 

The version stamp is also automatically generated.  The version numbering format is:

 

  MajorVersion.MinorVersion.BuildNumber

 

The build number is generated automatically and is read only.  The numbers represent the year in 2 digit format and the day of the year.  In the case above, the build number refers to the 154th day of 2010.  When the profile is modified, this build number will be automatically updated. 

 

The Minor Build number will also increase by one on subsequent modifications, although the Major/Minor numbers can be modified by the author at any time.

 

Version numbers are logged in the recovery audit log (along with a breakdown of the profile) so that specific recovery versions can be recreated at any time.  In the case above, the recovery profile version is v1.0.10154. 

 

 

File Header Section

 

This section stores the information which can usually be found at the start of a file.

 

 

Blade_File_Header

  

Figure 3

 

 

The signature field holds the string regular expression which identifies that pattern of bytes at the start of a file (or segment of data).  This is sometimes referred to as the “file signature” or “magic number”.  For our Bitmap image, enter the following text:

 

  BM….\x00\x00\x00\x00….\x28

 

Bitmaps have a file signature containing two upper case characters “BM”.  The next four bytes hold a UInt32 which relates to a file length marker.  This becomes important later as we create this profile.  The dot character in the case relates to any possible value.  This is why regular expressions are particularly powerful.  For further information on creating regular expressions, see the external links at the end of this article.

 

The sector boundaries only check box allows you to select whether to ignore data which is not aligned to a sector boundary.  This will depend entirely upon which type of data you are trying to recovery.  As we wish to recover all possible Bitmap images, we are going to leave this option un-ticked.  By selecting this option, we may not recover images embedded within other file types.

 

The ignore case option will change the way the regular expression engine interprets our signature.  In our Bitmap example, selecting this option will force the engine to look for data which starts with any combination of the upper and lower case characters “BM”.  For example, it would identify “Bm”, “bM”, “BM” and “bm”.  Leaving it un-ticked means the engine will only identify the upper case characters “BM” at the start of the signature.

 

 

File Landmark Section

 

The file landmark section allows you to improve the recovery capability even further.  If you think of the file header and footers as bookends, the file landmark section refers to any data which can be found within the two boundaries.  The landmark can be found at a specific offset, or at any position within the file.  The landmark also uses regular expression patterns, and you can also select Unicode data. 

 

By ticking the Use File Landmark option, you will unlock the fields in this section.  The location drop down box allows you to select whether the landmark is floating or at a specific byte offset.  If it is at a specific byte offset, this field accepts an integer value which is relative to the file header.  For example, if you were aware of 2 static bytes (FF 0A) contained within your file at decimal offset 90, you would create the landmark as follows:

 

Blade_Example_Landmark

  

Figure 4

 

As another example, you may find the following Unicode string contained within a Microsoft Word document:

 

 

Word_Document_Unicode_Data

 

Figure 5

 

To create a landmark for this data, you would create a landmark as follows:

 

 

Blade_Example_Landmark_2

  

Figure 6

 

In our Bitmap example, we will leave this section blank disabled.

 

 

File Footer Section

 

The file footer section contains information to allow the end of the file to be found.  Not all file types contain footer data.  For example, JPEG images contain 2 bytes to represent the footer FF D9.

 

 

Blade_File_Footer

  

Figure 7

 

By selecting the Use File Footer check box, the file footer fields will be activated.  As with the other signature sections, you have the ability to use a regular expression pattern for this field.

 

The Bytes to EOF field contains a signed integer value which relates to the location of end of the file in relation to the start of the footer.  In our JPEG example above, as the footer contains two bytes FF D9, the Bytes to EOF file would be set to 2.  This indicates that the location of the start of this footer is 2 bytes prior to the end of the file. 

 

The following footer example is for HTML data and contains a regular expression designed to stop if it encounters binary (non-textual) data or the normal end of an HTML document.  This allows more accurate HTML recovery and can be used when attempting to recover text based files.

 

 

Blade_Example_Footer

  

Figure 8

  

 

For our Bitmap example, leave the footer section un-ticked as there is no recognisable footer with this file format.

 

 

Data Length and Boundary Sections

 

This section controls the length and boundary of our recovered data.  In our Bitmap example, we identified that at decimal offset 2 there was a UInt32 value which related to the length of the original file.  If we select Use Length Marker, Blade will read a length marker at the offset provided.

 

 

Blade_Data_Length_Boundary_Section

  

Figure 9

  

 

If the length marker had been of a different type, this can be selected in the Length Marker Size drop down box.  You also have the option to select little or big endian values.  For an explanation of little and big endian values, please see the link at the bottom of this article.

 

The Length Marker Relative Offset field indicates the relative location from the start of the file to the field containing the length marker. 

 

If the data is corrupt and/or the length marker contains an unreasonable value, Blade will not recover data beyond the maximum length value set in the Data Boundary pane.  In this case, the recovery log will indicate that data has been truncated and will only be recovered up to the maximum length value.  If the data length marker is smaller than the Minimum Length value, Blade will log the fact that the data is shorter than the set value and the data will not be recovered.

 

If there is no Data Length marker, Blade will recover data based on the Data Boundary settings.  The Minimum Length value prevents data which is smaller than this value from being recovered.

 

With the Maximum Length, Blade will recover data up to this value.  If Use Next File Signature as EOF is selected, it will check where the next file is located on the disk (or image) and use this as the end of the file.  In our Bitmap case, we have selected this value and set the maximum length to 25 MB.

 

When Use Next File Signature as EOF (End of File) is selected, Blade will only look for the EOF marker in the data from the start of the file to the start of the next file.

 

 

Helpful Links

  

Original Digital Detective Knowledge Base Article

Blade Forensic Data Recovery Web Site

Understanding Regular Expressions

Understanding Endiannes

Read More

Exporting and Importing Blade Recovery Profiles

June 3rd, 2010 Posted in Blade, Forensic Data Recovery
Jun, 03 2010
No Comments »

One of the nice features of Blade is the ability to exchange Recovery Profiles with colleagues and other digital forensic practitioners.  The processing of Exporting and Importing profiles is relatively simple.

 

 

Global Recovery Profile Database

 

Blade has access to two separate recovery profile databases.  The global database cannot be altered by the user and contains profiles created and distributed as part of the software.  From time to time, we will update and add to these profiles as a result of research and development.  It also allows us to create additional validation routines for specific profiles in the database. 

 

For example, the JPEG image recovery profile in the global database invokes a comprehensive validation routine to assist with accurate recovery.

 

It is also possible to copy recovery profiles from the global database to your personal database so that it can be modified or exported.  To copy a global recovery profile, right click on the profile of interest in the list pane on the left hand side of the global profile database window, or click the Copy Profile button on the main toolbar (as shown below).

 

Blade Copy Profile To Personal Database

 

 

Exporting a Recovery Profile

 

To export a personal recovery profile, first open the personal recovery profile database.  This can be done by selecting the keyboard shortcut CTRL + S, or selecting Personal Profile Database from the Tools menu.

 

Select the recovery profile from the left hand list pane and right click.  Selecting Export Profile to File will prompt you for a file name and export location.  The will create a Blade Recovery Profile File (BRPX) which can then be shared and imported into another copy of Blade.

 

Blade Export Personal Recovery Profile

 

 

Importing a Recovery Profile

 

Once you have obtained a new Recovery Profile, the import process is conducted from within the personal profile database.  Simply select Import Profile from the main toolbar.  This will prompt you to select the Blade Recovery Profile File (BRPX).

 

Once the profile has been imported, you can close the personal profile database screen, and access the new profile from the main profile list.

 

 

Links

 

Original Blade Knowledge Base Article

Blade Forensic Data Recovery

Blade Professional recovery Modules

Read More
Google Analytics integration offered by Wordpress Google Analytics Plugin