Archive for the ‘Forensics’ Category

MFTDump V.1.3.0 Released

MFTDump version V.1.3.0 has been released. This version contains a bug fix related to the correct column listing of dates/times. Please update to this release and discontinue using earlier versions. Special thanks to Tone Surfer for tracking down this bug and alerting me.

MD5 = 303C17A98F09775ED2A59FF2294C20BB

SHA1 = 229A85938E4227FA9B1DDADCBAB528E807B86BE9

As always, your feedback on our tools or this blog are always welcome.



Image a Hard Disk Using FTK Imager (How-To)

Although it is not ideal, sometimes you need to acquire a forensic disk image from a live system. This is often the case when you cannot take the host out of service for a dead disk acquisition. There are also times you need to rely on IT or security personnel to acquire a disk image, despite the fact they are not trained in modern forensic practices.

To guide you through an accepted method of acquiring a disk image from a live host, I have published a detailed ‘How-To‘  titled “Image a Disk Using FTK Imager.” FTK Imager is Access Data’s free imaging tool that is used around the world by forensic experts. If you follow the detailed steps in this document, you can correctly acquire a disk image that can be sent securely to a forensic examiner for analysis.


McAfee Command Line Scanner Project (MCLSP) V.1.2

Today I am releasing a new version (v.1.2) of the McAfee Command Line Scanner Project (MCLSP).  Recently, users have been complaining the custom A/V scan ISO exceeds 700 MB in size. This makes it impossible for use on hosts that have older CD drives. I determined the cause of the bloat was development updates to the Wine project. It seems a number of Microsoft font packages have been added. One of those font packages is more the 50 MB in size!

This new version no longer downloads required packages from the Internet. Instead, a new folder (pkg) has been added to the build system that contains all required .deb packages. Now the size of the custom ISO is only 569 MB. I also added two new build scripts that allow you to build a ‘report-only’ ISO that reports but does not clean malware off a host, or a ‘clean-files’ ISO that cleans/deletes malware found on a host.

Special thanks to Stephen Del Vecchio for reporting the big ISO problem. He also took the time to scrub the build scripts and edit the project documentation.

Hope you enjoy this new release.


NOTE: This project is not affiliated with McAfee. It respects all licenses. trademarks, copyrights, patents, and intellectual property of McAfee, Inc. of Santa Clara, CA. You are expected to do the same.

Introducing PFDump Forensic Tool

Seasoned forensic investigators know the value of Windows prefetch files.  A prefetch file is created by a mechanism Windows uses to increase the performance of the program loader. These files contain important program loader information such as DLL dependencies, module sizes, file paths, last run date, run count, etc.  The value of prefetch files to an investigator is significant.

Unfortunately, most commercial forensic tools do not provide an easy way to examine this treasure of forensic evidence. So, like any other problem – instead of complaining about it I did something about it.

Today, I am releasing PFDump to the forensic community

The tool has the following features:

  • Lightweight, fast, and flexible command line tool.
  • Extracts forensic metadata from a Windows prefetch file.
  • Analyzes a single prefetch file or  a folder containing multiple prefetch files.
  • Analyzes prefetch files on a live system for incident responders.
  • Dumps prefetch metadata to stdout, TXT, HTML, or XML files.
  • Computes MD5 and SHA1 hashes for each prefetch file.
  • Self-contained binary – no other dependencies.
  • Runs on Windows XP, Vista, 7.
  • Documentation is included in the download zip file.

Common uses include:

  • Identifying applications run on a Windows host and when.
  • Identifying the full path to an executable run on a Windows host.
  • Identifying how many times and application has been run.
  • Searching and sorting application execution time.
  • Creating a timeline of applications run on a Windows host.

Download the tool and let me know how it works for you.


Introducing MFTDump Forensic Tool

I have been looking for a forensic tool that dumps the contents of an NTFS Volume $MFT file for some time. Unable to find one that suits my needs, I decided to dig into the internal structures of NTFS and write one.  Today, I am releasing MFTDumpto the forensic community.

The tool is designed for forensic examiners and incident responders who need a quick method to extract and examine file metadata from an NTFS volume.

The tool has the following features:

  • Lightweight, fast, and flexible command line tool.
  • Extracts NTFS file metadata from an $MFT file.
  • Dumps filenames to stdout for fast searches.
  • Dumps alternate data streams to stdout.
  • Has three output report formats: short, standard, and long.
  • Zip feature reduces size of output report on disk.
  • Self-contained binary – no other dependencies.
  • Runs on Windows 2000, XP, Vista, 7, Server 2003 and 2008.
  • FAQ and Quick-Start Guide documentation

Common uses include:

  • Searching an NTFS volume for specific file name(s).
  • Identifying alternate data streams (ADS).
  • Identifying file attributes such as deleted, hidden, system, etc.
  • Searching and sorting files based on MAC times (Modified, Accessed, and Created).
  • Creating a timeline of activity on a filesystem.

Download the tool and let me know how it works for you.


Encrypt a hard disk volume using TrueCrypt (How-To)

In my forensic work, I quite often have to send/receive forensic disk images to/from clients via FedEx or UPS. Since it is never a good idea to send digital data unencrypted via a common carrier, I encrypt hard disk volumes that contain forensic images using TrueCrypt.

To introduce you to TrueCrypt and walk you through the process of encrypting a hard disk volume, I wrote up a detailed ‘How-To‘  titled “Encrypt a Hard Disk Volume Using TrueCrypt.” I think you will agree, TrueCrypt is an amazing open-source project.  I suggest you also consider encrypting hard disk volumes that contain your backups or any other sensitive data.



You are currently browsing the archives for the Forensics category.