MFTDump V.1.3.0 Released

MFTDump version V.1.3.0 has been released. This version contains a bug fix related to the correct column listing of dates/times. Please update to this release and discontinue using earlier versions. Special thanks to Tone Surfer for tracking down this bug and alerting me.

MD5 = 303C17A98F09775ED2A59FF2294C20BB

SHA1 = 229A85938E4227FA9B1DDADCBAB528E807B86BE9

As always, your feedback on our tools or this blog are always welcome.



Image a Hard Disk Using FTK Imager (How-To)

Although it is not ideal, sometimes you need to acquire a forensic disk image from a live system. This is often the case when you cannot take the host out of service for a dead disk acquisition. There are also times you need to rely on IT or security personnel to acquire a disk image, despite the fact they are not trained in modern forensic practices.

To guide you through an accepted method of acquiring a disk image from a live host, I have published a detailed ‘How-To‘  titled “Image a Disk Using FTK Imager.” FTK Imager is Access Data’s free imaging tool that is used around the world by forensic experts. If you follow the detailed steps in this document, you can correctly acquire a disk image that can be sent securely to a forensic examiner for analysis.


McAfee Command Line Scanner Project (MCLSP) V.1.2

Today I am releasing a new version (v.1.2) of the McAfee Command Line Scanner Project (MCLSP).  Recently, users have been complaining the custom A/V scan ISO exceeds 700 MB in size. This makes it impossible for use on hosts that have older CD drives. I determined the cause of the bloat was development updates to the Wine project. It seems a number of Microsoft font packages have been added. One of those font packages is more the 50 MB in size!

This new version no longer downloads required packages from the Internet. Instead, a new folder (pkg) has been added to the build system that contains all required .deb packages. Now the size of the custom ISO is only 569 MB. I also added two new build scripts that allow you to build a ‘report-only’ ISO that reports but does not clean malware off a host, or a ‘clean-files’ ISO that cleans/deletes malware found on a host.

Special thanks to Stephen Del Vecchio for reporting the big ISO problem. He also took the time to scrub the build scripts and edit the project documentation.

Hope you enjoy this new release.


NOTE: This project is not affiliated with McAfee. It respects all licenses. trademarks, copyrights, patents, and intellectual property of McAfee, Inc. of Santa Clara, CA. You are expected to do the same.

Introducing PFDump Forensic Tool

Seasoned forensic investigators know the value of Windows prefetch files.  A prefetch file is created by a mechanism Windows uses to increase the performance of the program loader. These files contain important program loader information such as DLL dependencies, module sizes, file paths, last run date, run count, etc.  The value of prefetch files to an investigator is significant.

Unfortunately, most commercial forensic tools do not provide an easy way to examine this treasure of forensic evidence. So, like any other problem – instead of complaining about it I did something about it.

Today, I am releasing PFDump to the forensic community

The tool has the following features:

  • Lightweight, fast, and flexible command line tool.
  • Extracts forensic metadata from a Windows prefetch file.
  • Analyzes a single prefetch file or  a folder containing multiple prefetch files.
  • Analyzes prefetch files on a live system for incident responders.
  • Dumps prefetch metadata to stdout, TXT, HTML, or XML files.
  • Computes MD5 and SHA1 hashes for each prefetch file.
  • Self-contained binary – no other dependencies.
  • Runs on Windows XP, Vista, 7.
  • Documentation is included in the download zip file.

Common uses include:

  • Identifying applications run on a Windows host and when.
  • Identifying the full path to an executable run on a Windows host.
  • Identifying how many times and application has been run.
  • Searching and sorting application execution time.
  • Creating a timeline of applications run on a Windows host.

Download the tool and let me know how it works for you.


Introducing MFTDump Forensic Tool

I have been looking for a forensic tool that dumps the contents of an NTFS Volume $MFT file for some time. Unable to find one that suits my needs, I decided to dig into the internal structures of NTFS and write one.  Today, I am releasing MFTDumpto the forensic community.

The tool is designed for forensic examiners and incident responders who need a quick method to extract and examine file metadata from an NTFS volume.

The tool has the following features:

  • Lightweight, fast, and flexible command line tool.
  • Extracts NTFS file metadata from an $MFT file.
  • Dumps filenames to stdout for fast searches.
  • Dumps alternate data streams to stdout.
  • Has three output report formats: short, standard, and long.
  • Zip feature reduces size of output report on disk.
  • Self-contained binary – no other dependencies.
  • Runs on Windows 2000, XP, Vista, 7, Server 2003 and 2008.
  • FAQ and Quick-Start Guide documentation

Common uses include:

  • Searching an NTFS volume for specific file name(s).
  • Identifying alternate data streams (ADS).
  • Identifying file attributes such as deleted, hidden, system, etc.
  • Searching and sorting files based on MAC times (Modified, Accessed, and Created).
  • Creating a timeline of activity on a filesystem.

Download the tool and let me know how it works for you.


Encrypt a hard disk volume using TrueCrypt (How-To)

In my forensic work, I quite often have to send/receive forensic disk images to/from clients via FedEx or UPS. Since it is never a good idea to send digital data unencrypted via a common carrier, I encrypt hard disk volumes that contain forensic images using TrueCrypt.

To introduce you to TrueCrypt and walk you through the process of encrypting a hard disk volume, I wrote up a detailed ‘How-To‘  titled “Encrypt a Hard Disk Volume Using TrueCrypt.” I think you will agree, TrueCrypt is an amazing open-source project.  I suggest you also consider encrypting hard disk volumes that contain your backups or any other sensitive data.


Introducing the McAfee Command Line Scanner Project

After many weeks of research and experimentation, I am releasing the McAfee Command Line Scanner Project (MCLSP) as my first free tool. This project contains everything you need to build a custom live Ubuntu Linux distribution (distro) that runs the McAfee Windows A/V Command Line Scanner. For many years I used the BartPE tools to build bootable Windows CD/DVD’s to perform McAfee A/V scans. I got tired of BSOD’s caused by missing or incorrect drivers. So – I built a better malware fighting tool based on Linux.

As an emergency incident responder, I quite often encounter malware that is so pervasive there is no efficient way to eradicate it with the host Windows OS running. Scanning in Safe-Mode usually doesn’t work in these situations either.  With the MCLSP you can create a live Ubuntu ISO that will boot a Windows host in Linux and automatically scan all FAT/NTFS volumes for malware.  Windows is nowhere to be found.

I have written extensive documentation for Linux pros and newbies alike. You can download the tool and the docs on the Free Tools page.

Remember – the correct way to remediate a compromised computer is to re-image. When that is not feasible – consider a thorough A/V scan using this tool. Please let me know how the tool works for you and what improvements you would like to see.

How ironic is it that you need Linux to correctly remediate a compromised Windows box?

NOTE: This project is not affiliated with McAfee. It respects all licenses. trademarks, copyrights, patents, and intellectual property of McAfee, Inc. of Santa Clara, CA. You are expected to do the same.

Install Ubuntu Linux on external USB hard drive (How-To)

If you are a beginning or intermediate Linux enthusiast, this ‘How-To’ provides an in-depth, step-by-step guide on how to install Ubuntu Linux 10.04 (Lucid Linux) on an external USB hard drive. You can purchase one of these drives for less than $50 US. Having a full and bootable Ubuntu distro on one of these drives provides greater flexibility than installing it on a dedicated workstation.

I am a huge fan of Ubuntu Linux. Ever since the release 06.06 (‘Dapper Drake’) on August 10, 2006, Ubuntu is my distro of choice. I always carry a bootable USB stick containing the latest distro loaded with tools. It is really incredible how handy this is in my day-to-day IR and forensic work. I also a big fan of those small portable external USB drives sold by Western Digital, Seagate, Toshiba, etc.

It is quite easy to install Ubuntu Linux on an external USB drive. I have about half a dozen of these drives with Ubuntu installed – dedicated to specific purposes. One of these drives is used as my development and test environment for my soon to be released (and free) McAfee Command Line Scanner Project (MCLSP). I will have more to say about this in future posts; suffice it to say this project provides a bootable version of Ubuntu Linux that runs the ‘McAfee Windows Command Line Scanner’ on Linux! This is one very cool tool.

Download the ‘How-To’ and give Ubuntu Linux a test drive. One word of caution for those of you who wondering if the install instructions will work on a USB thumb drive. The answer is yes, it will work. I suggest, however, that you don’t do it. I have tested it and discovered running a full blown version of Ubuntu from a thumb drive is agonizingly slow. Remember, ‘installing’ a Linux distro on a thumb drive is different than creating a ‘ramdisk’ version. I will have more to say about this later.


Secure and un-clutter your life (How-To)

If you are like me, you have little tolerance for unsolicited telemarketing calls  and junk mail credit card and insurance solicitations. Another concern we share as security professionals is identity theft. About a year ago, I did a lot of research into these topics and developed a systematic approach to end the intrusive calls, remove 95% of the junk mail in my residential mailbox, and lock down my credit.

I wrote a ‘How-To’ to walk you through the simple steps of taking back ownership of your phones, mailbox and credit. The document is posted on the ‘How-To’ page. These simple steps really work. The only calls I get are from organizations that congress (foolishly) exempted from the ‘Do-Not-Call’ laws, such as political campaigns and non-profits. I get zero credit card and insurance solicitations. I also have security freezes on my credit from all three bureaus making it nearly impossible for an extension of credit in my name without my knowing about it.

Download this ‘How-To’ and send it to your friends and relatives.


My little corner of the Internet

I am a digital security consultant currently working for Foundstone, a division of McAfee. Long on my ‘To-Do’ list is an entry to create a blog. On the last day of 2010 – I can check this item as complete. I now have a blog.

The focus of my blog is emergency incident response (IR)  and digital forensics. This is my world. What I love to do. In fact, I spend most of my life on the road assisting organizations deal with emergency security incidents.

Here I will post items of interest I learn along the way. I also have a passion for creating useful (and free)  IR and forensic tools. I will post these also as I complete the proper documentation.

I am committed to fighting Internet evil, even if it has to be done one computer at a time.

Tonight I will raise my champagne glass and honor all you ‘White Hats’  who fight the good fight and never give up.