Pages

Friday, December 30, 2011

EnScript Resources

Every once in a while I get a query about EnScript programming, specifically if there are any books or online material available for it. So I have listed out a few good links to sites that have tutorials for EnScript that should get you started. Additionally keep watching this space and I will keep posting material (samples, tutorials) here too.

Resource 1: Lance Mueller’s now closed site (it’s still online but no more updates/comments will be posted)

Resource 2: My good friend Jon Stewart’s blog

Interestingly Lance is not a programmer and Jon on the other hand is a hardcore programmer. And I have had the pleasure of working with both these fine gentlemen for a number of years and they’ve done some excellent work with scripts.

There are some other people too that have posted EnScripts or Enpacks for free, these sites do not have any tutorials.

42 LLC's blog
Geoff Black's Forensic Gremlins
Takahiro Haruyama's blog - Most of the site is in Japanese but easy to follow
ForensicZone
Paul Bobby's blog

In addition, the guidance portal too has some publicly submitted scripts, but it is not an open forum.

If you are wondering what the heck EnScript is, it is a programming language with an API into Encase’s functionality; Encase is the most widely used commercial forensic tool and EnScript cannot be compiled or run without Encase.


Saturday, December 3, 2011

Hex Decoder Enscript

A simple hex decoder in an enscript GUI. Although nothing new as there are many such hex-ascii decoders available on the internet, this serves as an example of a simple enscript with a GUI that does something useful. I use it to unobfuscate and decode SQL injection strings and URLs.

Download here

Screenshot of Hex Decoder Enscript

Thursday, December 1, 2011

Travelog Parser Script

The IE Travelog parser enscript is now available for download here!

I have parsed out all information within the <GUID>.DAT files. This is displayed in the GUI when the program is run. While not everything can be exported out into a flat list because it is really a tree structure within another tree structure, and also lots of the information contained is duplicated (redundant). The complete output is in the console, where you also get data from the RecoveryStore.DAT files.


Screenshot of Script output
Update: 1 Jan 2012 - Small bug fix, version now shown in script as 0.7 Beta.

Thursday, September 29, 2011

Internet Explorer RecoveryStore (aka Travelog) as evidence of Internet Browsing activity

This artifact has attracted my attention of late as I have seen some very useful information here in a few recent cases. Here you find not only browsed urls but webpage details like title (sometimes content) and timestamps. Even data from encrypted pages (https) are stored here in plaintext, which by default IE does not save in internet cache. I have even seen email and facebook passwords here on occasion!

What is RecoveryStore and why is it present?

IE 8 and 9 have a tab recovery feature by virtue of which you can restore all your tabbed browsing sessions if IE crashes, or when you close IE and chose to save tabs on exit (so that they may be reopened automatically when IE is started next time).




With IE8, Microsoft also introduced the concept of a ‘Travelog’ or 'Travel Log'. This is a mechanism to track urls (and associated parameters) that are fetched from a page when AJAX is used. AJAX is a technology which enables dynamic refreshes of small portions of a page without reloading the whole page. It was popularized by gmail and subsequently most webpages use it today. With AJAX, your main page url does not change, however the page contents change when your click around in the page (accessing data from other urls), this creates problems as you cannot use the browser back button to go back one click. To solve this problem (with back and forward buttons), the travelog is used to track AJAX urls. Read up more about it on MDSN here

So where is this cached information?

The RecoveryStore can be found under <profile>/Application Data on an XP machine and under <profile>/AppData/Local on a Vista or Windows 7 machine under subfolder Microsoft/Internet Explorer/Recovery


Location of RecoveryStore files on a Windows 7 Machine

Two folders are present by default, Active and LastActive. Sometimes a couple of other folders are seen, High and Low. All folders contain similar data, a few files with <GUID>.dat as their name and a single RecoveryStore.<GUID>.dat file per folder. GUIDs are in the standard format {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.

Analysis of RecoveryStore files Part I

All files are in the Microsoft OLE structured storage container format. When opened with a suitable viewer (many freeware available for this, if you use encase, use ‘view file structure’ to mount), you find many streams (files) within it.

There is a single RecoveryStore.<GUID>.dat file which represents the recovery store preserving tab order and some other information. It references the other <GUID>.dat files.

RecoveryStore.<GUID>.dat

This file contains 3 or more streams in it. If more than one session (instances of IE) are running, then more streams will be present.

Stream Name
Description
|KjjaqfajN2c0uzgv1l4qy5nfWe
Contains some guids
FrameList
List of DWORDs, function unknown
TSxx
Contains guids of Tabs in Session x (ie,if TS1 then tabs in session 1)

RecoveryStore.<GUID>.dat file viewed in an OLE object viewer
The FrameList stream is shown above

<GUID> in the filename
The GUID is actually a UUID (version 1), which is comprised of a FILETIME like timestamp and the machine MAC address. The details of this scheme can be referenced from RFC 4122 (http://www.ietf.org/rfc/rfc4122.txt). 

The timestamp is the first 60 bits of the UUID, and this represents the number of 100 second nanosecond intervals since 15 October 1582. Note the only major difference from Microsoft FILETIME values used everywhere else in windows is the starting date which is 01 January 1601 for FILETIME.

This time is going to be the tab/recoverystore created time and can be used to cross check the timestamp on disk for forensic validation. These UUIDs are also found in the ‘|KjjaqfajN2c0uzgv1l4qy5nfWe’ stream in RecoveryStore.<GUID>.dat

Example: {FD1F46CF-E6AB-11E0-9FAC-001CC0CD46AA}.dat
From this UUID, we can extract the timestamp as 01E0E6ABFD1F46CF which decodes to 09/24/2011 12:51:58 UTC.
The last 6 bytes is the MAC address on the machine (00 1C C0 CD 46 AA), it can be from any of the network interfaces on the machine.

Timestamp Easy Conversion Process 
(http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf)

An easy way of converting the timestamp without messing too much with the math behind it is to subtract the time period between 15 October 1582 and 1 January 1601 and then using a FILETIME decoder program (like DCODE) to do the rest. For the above example, we subtract 146BF33E42C000 (the excess time period) from the original value to get 1CC7AB8BEDC86CF which is decoded as 09/24/2011 12:51:58 UTC.

<GUID>.dat files

Each file represents a tab in the browser. Inside each file are 3 or more streams.

Stream Name
Description
|KjjaqfajN2c0uzgv1l4qy5nfWe
Contains some guids and last URL of tab
TravelLog
List of DWORDs representing each TravelLog entry
TLxx
Travelog stream (TL0, TL1, …)

'|KjjaqfajN2c0uzgv1l4qy5nfWe' stream inside a <GUID>.dat file shown above

TravelLog Stream

This stream has a complex binary format which stores many items. The base URL, referrer url and page title are always present. Page content, some timestamps and ajax parameters are optionally present.

I have been studying the format of the TravelLog and will shortly publish it as Part II of this blog entry. 


Update: An encase script is now available for download here to parse out travelLog info.