A Little Help with Volume Shadow Copies

Wednesday, April 20, 2011 Posted by Corey Harrell 0 comments
********** 02/06/12 Update **********

I changed the script since I made this post. For more info refer to the post Ripping VSCs – Practitioner Method

**********                         **********

This post is about a batch script I wrote to help automate accessing Volume Shadow Copies (VSCs). I'm not going to discuss the forensic value of VSCs or different ways to access them since I couldn't add to what is already out there. For this type of information check out Harlan's Assessing Volume Shadow Copies post including the links he provides (one link is to Troy Larson's presentation slides), Lee Whitfield's Into the Shadows write-up, or the QCCIS whitepaper on recovering data from Volume Shadow Copies (this paper is the source of the for loops in my batch file). The information I can add is discussing a problem I was facing and how I addressed it. Recently, I've been working with VSCs on different volumes in different systems. When accessing the VSCs I found myself doing the same thing over and over again which was:

* Using the vssadmin list shadows command to list the VSCs for a specific volume. At times I'd redirect the command's output to a text file for documentation purposes.

* Changing the for loop with the mklink command to reflect the VSCs I wanted hard links created for.

* Running the for loop with the mklink command to create the hard links.

* Examining the data of interest in the VSCs.

* Changing the for loop with the rd command to reflect the hard links I wanted to delete.

* Running the for loop with the rd command to delete the hard links.

Going through the above process worked fine. However, I wanted a faster way to access the VSCs without always having to make changes to a saved command or batch file. I'd rather just run one script that allowed me to specify what action to take and what VSCs to create links for. So I read a few articles on batch files and this is the solution I came up with to meet my need. I thought a few screenshots would help show the functionality of the script before I posted the code.

Menu appears when batch file is executed

List VSCs selection shows the option to save output to a text file

List VSCs selection prompts for volume to list the VSCs for

List VSCs selection showing that the C volume doesn't have any VSCs

Create links selection prompts for the range of VSCs to create hard links for

Remove links selection prompts for the range of hard links to delete
 As the screenshots show, the batch file made things a lot easier and I no longer have to keep changing saved commands or simple batch files. Now I just run a script and specify a few parameters so I can focus on the data I'm after in the VSCs. The text below is the batch file I'm talking about. To create a batch file for yourself, copy the text into a text file and save the file with a .bat extension. It can be run from anywhere on the forensic workstation that's being used to examine the VSCs. Enjoy ...

@echo off
REM Author: Corey Harrell (Journey into IR)
REM The batch file can be executed from anywhere on a computer by double-clicking on it or calling it from the command line
REM The only change required is the name and location of the hard links being created. The script uses C:\vsc so this can be changed for your environment
REM Script starts here ...
REM The goto statement below makes the script process the menu function.
goto :menu
:menu
     REM The menu function allows you to select one of the following: list all of the VSCs for a drive, create hard links to VSCs, or remove hard links pointing to VSCs
     echo Press 1 to list the Volume Shadow Copies on a drive
     echo Press 2 to create hard links to Volume Shadow Copies on a drive
     echo Press 3 to remove hard links to Volume Shadow Copies
     echo Press 4 to exit
     set /p selection= Enter your selection:
     cls
     REM The if statements below makes the script process a specific function based on the selection made.
     if %selection% == 1 goto :listvsc
     if %selection% == 2 goto :makelink
     if %selection% == 3 goto :removelink
     REM Selection 4 is to exit the script and this will result in the goto below being called
     goto :EOF
:listvsc
     REM The listsvc function list the Volume Shadow Copies for the selected drive
     setlocal
     REM The line below lets you save a text file listing the VSCs injunction with the VSCs being displayed on the screen. This is helpful if the listing of VSCs has to be documented.
     set /p output=Do you want the output to be saved as a text file [y/n]
     cls
     echo Enter the letter of the drive to list the Volume Shadow Copies for (do not include the colon)
     set /p drive=Enter the drive letter:
     cls
     REM The if statement below will create a text file listing the VSCs if this option was slected. The output file is created in the same folder where the batch file is executed from.
      if %output%== y (vssadmin list shadows /for=%drive%: > list-vscs.txt)
     vssadmin list shadows /for=%drive%:
     echo The Volume Shadow Copies for the %drive% drive have been listed
     pause
     endlocal
     cls
     REM The goto statement below makes the script loop back to the menu
     goto :menu
:makelink
     REM makelink function creates hard links to the VSCs lists for the selected drive
     echo Configuring what Volume Shadow Copies to create hard links for
     REM The next part of the script sets the variables for the start and end parameters in the for loop.
     setlocal
     REM The vssadmin list shadows command provides the VSC numbers. The start parameter is the first VSC to create a link to while the end parameter is the last VSC to create a link to.
     set /p start=Enter the VSC number to start with:
     set /p end=Enter the VSC number to stop at:
     cls
     REM The script uses c:\vsc for the location and name of the hard links. The location (c:) and name (vsc) of the hard links can be changed to whatever you choose
     for /l %%f in (%start%,1,%end%) do mklink /j c:\vsc%%f \\?\GLOBALROOT\Device\HardDiskVolumeShadowCopy%%f\
     echo Hard links created for VSC %start% to %end%
     pause
     cls
     endlocal
     REM The goto statement below makes the script loop back to the menu
     goto :menu
:removelink
     REM removelink function removes the hard links to VSCs that were created on the computer
     echo Configuring the hard links to remove.
     REM The next part of the script sets the variables for the start and end parameters in the for loop.
     setlocal
     REM The start and stop parameters are for the numbers in the names of the hard links
     set /p start=Enter the number in the name of the hard link to start at:
     set /p end=Enter the number in the name of the hard link to stop at:
     cls
     REM The location and name of the hard links below must be changed to match what was used in the makelink function
     for /l %%f in (%start%,1,%end%) do rd c:\vsc%%f
     echo Hard links removed for link %start% to %end%
     pause
     cls
     endlocal
     REM The goto statement below makes the script loop back to the menu
     goto :menu

Introducing the Digital Forensics Search

Saturday, April 9, 2011 Posted by Corey Harrell 6 comments
Have you ever run a *insert search engine* search to locate information about an artifact only to find a listing of mostly irrelevant hits? A lot of time is wasted going through the irrelevant hits to locate the few websites with information that helps you better see how the artifacts fit into your forensic examination. Wouldn't it be better if the majority of the search hits were in the context of digital forensics or incident response, thereby making the hits more relevant to your forensic examination? Here is the formal introduction of the Digital Forensic Search engine.

The combination of the Yahoo Win4n6 group's discussion about David Kovar's post The Fragmentation of the digital forensics community, hooked-on-mnemonics blog post Malware Analysis Search, and writing my last post on searching RSS feeds inspired me to want to search for information a different way. A more effective way is to use a custom search engine that's configured to only search blogs, groups, forums, or any other sites related to digital forensics and incident response. Digital Forensic Search is a custom Google search and in a way I think it harnesses the collective knowledge and research of the people/organizations who share information back to the forensics community.

Digital Forensic Search results in more search hits which are in the realm of digital forensics and incident response. Depending on the artifact being researched, the search hits may result in information on the artifact, tools to extract data from the artifact, and how the artifact affected other practitioners' examinations. For example, perform a search for the keyword "link file" (include the quotes) in your favorite search engine. The first 10 hits in my search only included one digital forensics hit while the other hits were for information not beneficial to any type of forensic investigation. Run the same search in the Digital Forensic Search and it results in the majority of the hits being directly related to link files in the context of a digital forensic examination. Three of the hits on the first page were an article about the Evidentiary Value of Link Files on Forensic Focus, Richard Drinkwater's blog post Link Files in System Restore Points, and the article The Meaning of Link Files in Forensic Examinations on the Computer Forensics Miscellany website.

If anyone still isn't convinced in the value of a custom search then I recommend performing a couple of searches between *insert search engine* and Digital Forensic Search. A few potential topics to search on are: comdlg32, tool validation, evidence collection, timeline analysis, or volume shadow copies. The searches should show that Digital Forensic Search has more relevant hits related to digital forensic and incident response which results in it being one effective method to locate information.

This post is where I'm going to be maintaining the list of sites included in the Digital Forensic Search so any updates to the index will be reflected below. The repository tries to focus on sites containing information on digital forensics and incident response as opposed to tool specific sites. With this in mind, if you see any sites missing or URLs with too much noise (such as job postings) then post a comment or send me an email.

Digital Forensic Search can be found at the top of jIIr or directly at this link:

http://www.google.com/cse/home?cx=011905220571137173365:7eskxxzhjj8


**********Sites Last Updated on 08/19/2014**********

The following is the listing of sites indexed by the Digital Forensic:

DFIR Blogs

A Geek Raised by Wolves  http://jessekornblum.livejournal.com/
A Renaissance Security Professional  http://renaissancesecurity.blogspot.com/
An Eye on Forensics  http://eyeonforensics.blogspot.com/
Active Security  http://active-security.blogspot.com/
Andrew Hay  http://www.andrewhay.ca
All things time related http://blog.kiddaland.net/
American Destroyer http://megadeus.com/
Another Forensics Blog  http://az4n6.blogspot.com/
Anton Chuvakin  http://blogs.gartner.com/anton-chuvakin
appointments-uk  http://appointments-uk.blogspot.com/
Ball In Your Court  http://ballinyourcourt.wordpress.com/
Blog Matt Churchill  http://mattchurchill.net/blog/
Bradley Schatz on the intersection of technology and the law  http://blog.schatzforensic.com.au/
BriMor Labs  http://brimorlabs.blogspot.com
Browser Forensics  http://www.browserforensics.com/
c-APT-ure  http://c-apt-ure.blogspot.com/
cci  http://takahiroharuyama.github.io/
Cellular.Sherlock - Mobile Forensics from the front lines  http://blog.csvance.com/
Cheeky4n6Monkey - Learning About Digital Forensics  http://cheeky4n6monkey.blogspot.com/
Chip_DFIR  http://chipdfir.blogspot.co.uk/
Chris Sanders  http://chrissanders.org/
Christa Miller  http://christammiller.com/
CnW Recovery  http://cnwrecovery.blogspot.com/
Codeslack  http://codeslack.blogspot.com/
Command Line Kung Fu  http://blog.commandlinekungfu.com/
Computer Forensic Blog  http://computer.forensikblog.de/en/
Computer Forensic Graduate  http://computerforensicgraduate.wordpress.com
Computer Forensic Source  http://forensicsource.blogspot.com/
Computer Forensics and IR - What's New  http://newinforensics.blogspot.com/
Computer Forensics, Malware Analysis & Digital Investigations  http://www.forensickb.com/
Computer Forensics-E-Discovery Tips-Tricks and Information  http://cfed-ttf.blogspot.com/
ComputerForensicSource.com  http://www.computerforensicsource.com/
Consortium of Digital Forensic Specialists CDFS Blog  http://www.cdfs.org/blog/
copgeek018  http://copgeek018.wordpress.com/
Crucial Security Forensics Blog http://crucialsecurityblog.harris.com/
CSITech - Computer Forensics  http://nickfurneaux.blogspot.com/
Cyber Security Maven -- Techie  http://cybersecuritymave-techie.blogspot.com
CyberSpeak's Podcast  http://cyberspeak.libsyn.com/
Cylance Blog  http://blog.cylance.com
Dancho Danchev's Blog - Mind Streams of Information Security Knowledge  http://ddanchev.blogspot.com/
Default Deny  http://kurtaubuchon.blogspot.com/
Derek Newton « Information Security Insights http://dereknewton.com/
DF Procedures and Musings  http://dfprocedures.blogspot.com
DFF and Open Sourse Digitial Forensics blog http://www.digital-forensic.org/blog/
Digital Forensics Solutions  http://dfsforensics.blogspot.com/
Enterprise Detection & Response  http://detect-respond.blogspot.com
Every Bit Counts  http://forensicmatt.blogspot.com

Ex Forensis  http://exforensis.blogspot.com/
FireEye Malware Intelligence Lab  http://blog.fireeye.com/research/
Forensic 4cast  http://www.forensic4cast.com/
forensic . seccure . net  http://seccure.blogspot.com/
Forensic Artifacts  http://forensicartifacts.com/
Forensic Computing — Digital forensics from the view of a computer scientist  http://www.forensicblog.org/
Forensics For the Newbs  http://forensicnewbs.wordpress.com/
Forensic Incident Response  http://forensicir.blogspot.com/
Forensic interviews  http://f-interviews.com/
Forensic Methods http://forensicmethods.com/
Forensic Photoshop  http://forensicphotoshop.blogspot.com/
Forensicaliente - because digital forensics is "hot"  http://forensicaliente.blogspot.com/
Forensically sound(ing off) http://marshalla99.wordpress.com/
Forensicator Of The Dead  http://forensicotd.blogspot.com/
Forensics from London  http://forensiccontrol.blogspot.com/
Forensics from the sausage factory  http://forensicsfromthesausagefactory.blogspot.com/
ForensicZone  http://forensiczone.blogspot.com/
Fun with Lost Bits n Bytes  http://blog.roberthaist.com
G33k G1r1 goes Binary  http://g33k-g1rl.blogspot.com/
Geoff Black's Forensic Gremlins - Everything that gives you fits in Digital
Ghetto Forensics  http://www.ghettoforensics.com
Girl, Unallocated  http://girlunallocated.blogspot.com/
GPS Evidence Tracking Issues http://gpsevidence.blogspot.com/
Grand Stream Dreams  http://grandstreamdreams.blogspot.com/
Forensics and E-Discovery  http://www.geoffblack.com/
Hacking Exposed Computer Forensics blog  http://hackingexposedcomputerforensicsblog.blogspot.com/
HandlerDiaries  http://blog.handlerdiaries.com
Happy As A Monkey  http://happyasamonkey.wordpress.com/
Hexacorn Blog  http://www.hexacorn.com/blog/
HeX-OR Forensics  http://nicoleibrahim.com
HolisticInfoSec http://holisticinfosec.blogspot.com/
InfoSec Insights  http://blog.seanmason.com
integriography A Journal of Broken Locks, Ethics, and Computer Forensics  http://integriography.wordpress.com/
Internet Storm Center Diary  http://isc.sans.edu/
JonRajewski  http://www.jonrajewski.com/cyberblog/
Journey into Incident Response  http://journeyintoir.blogspot.com/
JustAskWeg  http://justaskweg.com
Lenny Zeltser on Information Security  http://blog.zeltser.com
Linux Sleuthing  http://linuxsleuthing.blogspot.com/
Lowmanio (digital forensic category)  http://www.lowmanio.co.uk/blog/categories/digital-forensics/
Macaroni Forensics  http://macaroniforensics.blogspot.com/
man allyn-blog http://allynstott.blogspot.com/
Matthieu Suiche’s blog ! - Happiness only real when shared.  http://www.msuiche.net/
Malware Analysis Blog  http://www.malanalysis.com/blog/
Mark Russinovich's Blog  http://blogs.technet.com/b/markrussinovich/
McGrew Security Blog  http://www.mcgrewsecurity.com/
Memory Forensics  http://memoryforensics.blogspot.com/
MetaDatum  http://metadatum.me
MNIN Security  http://www.malwarecookbook.com/
MNIN Security Blog  http://mnin.blogspot.com/
Mobile Device Forensics  http://mobileforensics.wordpress.com/
Mobile Forensics Inc Blogger  http://blog.mobileforensicsinc.com/
Mobile Telephone Evidence  http://trewmte.blogspot.com/
Post Humorous  http://www.posthumorous.com/
Practical Digital Forensics http://practicaldigitalforensics.blogspot.com/
Propeller Head Forensics  http://propellerheadforensics.com/
Push the Red Button  http://moyix.blogspot.com/
RAM Slack – Random Thoughts from a Computer Forensic Examiner  http://ramslack.wordpress.com/
Riij morf tnetnoc siht elots I  http://journeyintoir.blogspot.com
Ryan Stillions  http://ryanstillions.blogspot.com

SANs Penetration Testing Blog  http://pen-testing.sans.org/blog
Sketchymoose's Blog  http://sketchymoose.blogspot.com/
Security Ripcord  http://www.cutawaysecurity.com/blog/
Securosis Blog  https://securosis.com/blog
Sempersecurus http://sempersecurus.blogspot.com/
Sergio Hernando http://www.sahw.com/wp/
Scudette in Wonderland  http://scudette.blogspot.com/
Student of Security http://mikeahrendt.blogspot.com/
Sucuri Blog  http://blog.sucuri.net
System Forensics  http://www.sysforensics.org/
Seculert  http://blog.seculert.com/
Secureartisan http://secureartisan.wordpress.com/
Security Braindump  http://securitybraindump.blogspot.com/
TaoSecurity  http://taosecurity.blogspot.com/
Taksati  http://taksati.wordpress.com/
The Cave  http://cyb3rdaw6.harpermountain.net/
The Digital Standard  http://thedigitalstandard.blogspot.com/
The Digital4rensics Blog  http://www.digital4rensics.com/
The Forensics Ferret Blog http://forensicsferret.wordpress.com/
The Last Line of Defense  http://blog.tllod.com/
Trace Evidence  http://traceevidence.blogspot.com
trustedsignal -- blog  http://trustedsignal.blogspot.com/
Unchained Forensics  http://unchainedforensics.blogspot.com/
Unmask Parisites blog  http://blog.unmaskparasites.com/
ViaForensics  https://viaforensics.com/blog/
Volatility Advanced Memory Forensics  http://volatility.tumblr.com/
Windows Incident Response  http://windowsir.blogspot.com/
WriteBlocked  http://writeblocked.org/
Wyatt Roersma Blog  http://www.wyattroersma.com/
Yogesh Khatri's forensic blog  http://www.swiftforensics.com/
Zena Forensics  http://blog.digital-forensics.it/
Zscaler  http://research.zscaler.com/

DFIR Websites

Brian Carrier Digital Investigation - Forensics and Evidence Research  http://www.digital-evidence.org/
CERIAS Reports and Papers Archive  https://www.cerias.purdue.edu/apps/reports_and_papers/
Computer Crime & Intellectual Property Section US DOJ  http://www.justice.gov/criminal/cybercrime/
Computer Forensics Miscellany  http://computerforensics.parsonage.co.uk/
Craig Gall Helping Lawyers Master Technology  http://www.craigball.com/
DFRWS (Digital Forensics Research Conference)  http://www.dfrws.org/
Digital Forensics Magazine supporting the professional computer security industry  http://www.digitalforensicsmagazine.com/
Digital Forensics Solutions' Research http://www.digitalforensicssolutions.com/research.shtml
ENSIA CERT  http://www.enisa.europa.eu/act/cert/
E-Evidence Information Center - Home  http://www.e-evidence.info/
FIRST - Improving security together  http://www.first.org/
Forensic Focus  www.forensicfocus.com/
Forensic Magazine Issues  http://www.forensicmag.com/
Forensics Wiki  http://www.forensicswiki.org/
HolisticInfoSec toolsmith http://holisticinfosec.org/toolsmith
Inside the registry  http://www.insidetheregistry.com/regdatabase/
I-Sight's Investigations http://i-sight.com/investigation/
International Journal of Digital Evidence on Utica College  http://www.utica.edu/academic/institutes/ecii/ijde/
Into The Boxes  http://intotheboxes.wordpress.com/
IronGeek's InfoSec Articles http://www.irongeek.com/i.php?page=security/
Journal of Digital Forensics, Security and Law  http://www.jdfsl.org/
Lenny Zeltser  http://zeltser.com/
log2timeline  http://log2timeline.net/
mnin.org  http://www.mnin.org/
Mobile Forensics Central  http://www.mobileforensicscentral.com/
National Institute of Justice Publications  http://nij.gov/nij/pubs-sum/
National White Collar Crime Center  http://www.nw3c.org/
Network Forensics Puzzle Contest  http://forensicscontest.com/
NIST Computer Security Division Special Publications  http://csrc.nist.gov/publications/nistpubs/
Open Source Digital Forensics  http://www2.opensourceforensics.org/
SANs Computer Forensics  http://computer-forensics.sans.org/
SANS InfoSec Reading Room - Forensics  http://www.sans.org/reading_room/whitepapers/forensics/
SANS InfoSec Reading Room - Incident Handling  http://www.sans.org/reading_room/whitepapers/incident/
SANS InfoSec Reading Room - Malicious Code  http://www.sans.org/reading_room/whitepapers/malicious/
SANS InfoSec Reading Room - Steganography  http://www.sans.org/reading_room/whitepapers/stenganography/
SANs Summit Archives  http://digital-forensics.sans.org/summit-archives
Small Scale Digital Device Forensics Journal  http://www.ssddfj.org/
SWGDE  http://www.swgde.org/
The Honeynet Project Challenges  https://www.honeynet.org/challenges/
Welcome AppleExaminer  http://www.appleexaminer.com/
Williballenthin.com  http://williballenthin.com

DFIR Webpages

AuSCERT Forming an Incident Response Team  http://www.auscert.org.au/render.html?it=2252&cid=1938
Cybercrime.gov searching and seizing manual  http://www.cybercrime.gov/ssmanual/index.html
Daubert v. Merrell Dow Pharmaceuticals  http://www.law.cornell.edu/supct/html/92-102.ZS.html
Default Processes in Windows 2000  http://support.microsoft.com/kb/263201
Digital Evidence: Standards and Principles  http://www.fbi.gov/about-us/lab/forensic-science-communications/fsc/april2000/swgde.htm
Digitalcorpora Disk Images  http://digitalcorpora.org/corpora/disk-images/
FileSignatures Table  http://www.garykessler.net/library/file_sigs.html
Forensically interesting spots in the Windows 7, Vista and XP file system and registry (and anti-forensics)  http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots
Microsoft Windows XP - Default settings for services  http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sys_srv_default_settings.mspx?mfr=true
QQIS Whitepapers  http://qccis.com/resources/publications/
RFC 3227 - Guidelines for Evidence Collection and Archiving  http://www.rfc-archive.org/getrfc.php?rfc=3227
SEI Handbook for Incident Response Teams  http://www.sei.cmu.edu/library/abstracts/reports/03hb002.cfm
Windows 7 Default Services and Suggested Startup Mode  http://www.windowsnetworking.com/articles_tutorials/Windows-7-Default-Services-Suggested-Startup-Mode.html

DFIR Groups

Yahoo Win4n6 Group  http://tech.groups.yahoo.com/group/win4n6/
Yahoo Linux Forensics Group  http://tech.groups.yahoo.com/group/linux_forensics/ 
The Vol-users Archives  http://lists.volatilesystems.com/pipermail/vol-users/

DFIR Tool Websites

Digital Forensics Framework Wiki  http://wiki.digital-forensic.org/
Jafat Archive of Forensic Analysis Tools  http://jafat.sourceforge.net/
Joakim Schicht  https://github.com/jschicht
Live View  http://liveview.sourceforge.net/
md5deep and hashdeep  http://md5deep.sourceforge.net/
mft2csv  http://code.google.com/p/mft2csv
MiTec  http://www.mitec.cz/
My SecTools  http://www.mysectools.com/
NirSoft  http://www.nirsoft.net/
OpenSourceForensics  http://code.google.com/p/opensourceforensics/
plaso - home of the super timeline  http://plaso.kiddaland.net
pydetective  http://code.google.com/p/pydetective/
Registry Decoder  http://code.google.com/p/registrydecoder/
Registry Decoder Live  http://code.google.com/p/regdecoderlive/
RegRipper  http://regripper.wordpress.com/
Rekall Memory Forensic Framework  http://www.rekall-forensic.com
Shadow Explorer  http://www.shadowexplorer.com/
Sleuthkit  http://www.sleuthkit.org/
TZWorks LLC  http://www.tzworks.net/
Volatility An advanced memory forensics framework  http://code.google.com/p/volatility/
Winforensicaanalysis  http://code.google.com/p/winforensicaanalysis/
Windows Forensic Environment  http://winfe.wordpress.com/
Woanware  http://www.woanware.co.uk/

DFIR Tool Webpages

Digital Detective - Free Tools  http://www.digital-detective.net/digital-forensic-software/free-tools/
Forensic Control Free Computer Forensic Tools  http://forensiccontrol.com/resources/free-software/
HB Gary Free Security Tools  http://www.hbgary.com/free-tools
Mandiant Free Software  http://www.mandiant.com/products/free_software
QCC Information Security Free Forensic Tools  http://www.qccis.com/forensic-tools
RedWolf Computer Forensics http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55
Sanderson Forensics Free Utilities  http://www.sandersonforensics.com/content.asp?page=15

How do you use your feeds?

Tuesday, April 5, 2011 Posted by Corey Harrell 0 comments
A feed reader is a valuable resource since the software manages the content from websites such as news sites, blogs, or other online publishers. A reader not only enables you to stay informed of the latest content from the sites but it also enables content to be leverage to help keep your knowledge current and to assist with research for your investigations. This post is about how I’ve been using RSS feeds to help keep my knowledge current and conduct research.

Before I discovered the value of RSS feeds I wasted a lot of time and energy on trying to stay current with the latest content from information security and digital forensics websites. Periodically I checked the sites to see if anything was new, I wasted time trying to find an article I read but couldn’t remember where, and I struggled to remember all of the articles/posts I wanted to read on new sites I came across. Needless to say this was the wrong approach so I turned to RSS feeds to help me manage this content.

Getting Started with Feeds

RSS (Rich Site Summary) is a “format for delivering regularly changing web content”. A feed reader is software that downloads feeds from various sites and stores them for a person to read and use. The first and only program I tested was FeedReader and this has become my reader of choice. The software has no fees and a range of capabilities to read, collect, and organize web content using RSS or Atom feeds. I’m not going to go into detail about FeedReader’s features or its configuration since I wanted to focus on the benefit of feeds.

Right away I knew the one feature I wanted in any reader was portability. I use numerous computers between work and home so I didn’t want to be tied to one system or have to worry about syncing content between systems. FeedReader can either be installed on a computer using the installer or the zip package can be used for the program to run from a thumb drive. I opted for the latter option and this has allowed me to have access to the web content no matter where I am. Plus an additional benefit is being able to access the content stored in the database without needing Internet access.

Adding Feeds

There are different ways to find digital forensics and incident response related websites. Most blogs have an area where the authors share links or blogs they follow. Authors’ may also include links to content on other sites in their posts/articles. Following all of these links can lead to interesting sites that can be used to create a collection of feeds. In addition to blogs and news sites, I’ve been working on adding social media sites, such as Twitter, to my feed collection. After the sites are located then the next step is to determine if a site supports RSS or Atom feeds. One quick way to determine this is to look for the icon in the web browser. The picture below shows the icon highlighted in Firefox and Internet Explorer.

Adding feeds to a reader will vary depending on the program being used. FeedReader supports adding the following types: feeds, smartfeeds, and search feeds. My current FeedReader database consists of 159 feeds, 20,031 news (downloaded web content), 141 unread news, and the database is only 76 MB. I organized the content into folders to make it easier to manage. The picture below shows FeedReader’s interface and the web content downloaded from jIIr. Unread items are highlighted in bold and the numbers to the left of the folders show the amount of unread content in that folder.

Leverage the Feeds

FeedReader automatically downloads feeds from sites and this saves me a lot of time since I no longer have to periodically check sites for new content. The reader allows me to stay informed about the latest content and helps me organize the content. This isn’t the only benefit of a reader because another benefit is the ability to search the content for research or investigations. To see how it's possible I’ll perform three different searches against my FeedReader’s database.

The first search will be on random topic and Internet Explorer 8 InPrivate browsing feature is the first thing I thought about. The feature enables users to surf the web without leaving any traces of their activity on the computer being used. To obtain information about this feature I performed a search against my feeds using the keyword inprivate. The following is the summary of three of the keyword hits:

* Derek Newton’s blog post Internet Explorer InPrivate URL Artifacts. The post discusses a few areas that could contain InPrivate URL artifacts and how those areas can be searched.

* Digital Detective’s blog post NetAnalysis v1.50 - New Release and the post advertizes that Netanalysis can recover data from InPrivate browsing.

* Computer Forensics and IR – What’s New blog post Internet Evidence Finder - new release and more and the post mentions how IEF is able to recovery IE8 URLs.

The previous search showed how to locate information on a random topic. The search located research on InPrivate browsing artifacts and three possible ways to try to recover data from InPrivate browsing. The next search will illustrate how the feeds can help in obtaining more information about an artifact found during an investigation. If the investigation involves the activity of a user account then one of the artifacts of interest could be the UserAssist key in the Ntuser.dat registry hive. A search was conducted using the keyword userassist and the following is a summary of some of the hits.

* ForensicArtifacts blog post UserAssist which is a write-up about what the key is and contains useful references about the key.

* Richard Drinkwater’s Forensics from the Sausage Factory blog post Prefetch and User Assist. This write-up was about determining how often a program was ran and one of the areas that provided this information was the UserAssist key.

* Harlan Carvey’s Windows IP blog post Accessing Volume Shadow Copies where he discusses how the registry key could be analyzed in Volume Shadow Copies.

* Chris Pogue’s Digital Standard blog post The “Not So” Perfect Keylogger. In this write-up the UserAssist key showed the initial execution of a keylogger.

* Into the Boxes Digital Forensics and Incident Response Magazine Issue 0x0. Didier Stevens wrote an article for this issue about the Windows 7 Userassist Registry key.

* Dave Hull’s post Digital Forensics: Detecting time stamp manipulation on the SANs forensics blog. This write-up was about identifying time stamp manipulation and the UserAssist key was one of the artifacts including in a timeline.

The previous search showed the potential wealth of information that could be obtained about an artifact of interest. The last search will illustrate how the feeds can help in conducting research about an item such as an email. The picture below shows an email that was in one of my throw away email accounts and this email will be used for this demonstration.

The email appears to be a notification from the United Parcel Service and the attachment is supposed to contain the tracking number and more information about a shipment. This is the type of email I would do additional research on so I can learn more about the Spamming campaign and the artifacts left on a system by opening the attachment. The first keyword I searched for was the name of the attachment which was upsnotify. This only resulted in one hit in my feeds and this was for the post Spamvertised United Parcel Service notifications serve malware on Dancho Danchev's blog - Mind Streams of Information Security Knowledge. His post was about the current spam campaign impersonating UPS for malware serving purposes. The information covered was the detection rates for the attachment contents, additional executables downloaded, and domains contacted. I wanted more information so I ran another search using the keyword United Parcel Service. The following is the summary of some of the keyword hits:

* MXLab blog post “United Parcel Service notification” from UPS contains trojan. The post discusses how MXlab started receiving a new trojan distribution campaign by email with the subject “United Parcel Service notification" and it provides some information about the email.

* MXLab blog post “United Parcel Service notification 48161” from UPS contains trojan. This write-up is about the SPAM campaign and provides details about the spoofed email address, URLs the Trojan downloads data from, payload artifacts created on the system, and processes started on system.

* Microsoft Malware Protection Center post Trojan downloader Chepvil on the UPSwing. The post discusses the email campaign and the attachment that was detected as TrojanDownloader:Win32/Chepvil.I.

* There were a couple of tweets mentioning the SPAM email as well.

The searches against my feeds provided a wealth of information. I was able to determine an email sitting in my Inbox was a part of a Spamming campaign and identified some of the potential artifacts on a system where the attachment was opened. The two other searches located information on how to recover the InPrivate browsing data and a wealth of information about the UserAssist key.

The best part about the moving to a feed reader is that I have access to the information at any time since it is stored in the RSS feed database stored on the thumb drive. Sometimes it feels like I have a portable Google in my pocket.
Labels: ,