Monday, 21 October 2013

Windows Prefetch (.PF) files

Thanks to Wayback machine (web.archive.org), I have been able to retrieve my old posts about Prefetch files from 42 LLC. You can find the original (slightly edited) post here now. It contains format information and the prefetch hash algorithm.

Windows 8 Prefetch files

Of late there has been some discussion about windows 8 prefetch files on forensicfocus.com and some mailing lists. Everybody seems to know about the change from recording a single Last Executed Time to the last 8 executed times. There is some confusion about the hashing algorithm. So I've revisited this artifact and here is what I found (for windows 8).

Windows 8 still uses the same prefetch hash calculation algorithm. A few offsets have changed but the structure of the pf file is still the same. The only change seems to be the addition of 7 new timestamps. This is because now the prefetch file stores the timestamp of the last 8 times the application was executed. My old enscript code has been updated to reflect this. Download here.

There is some extra data in the volume information block that still remains a mystery. Refer old post for the volume information block structure.

The new windows 8 prefetch file structure is as follows:
0x00 = 1A 00 00 00
0x04 = SCCA
0x08 = 11 00 00 00 
0x0C = 4 byte size of pf file itself
0x10 = 60 bytes of filename
0x4C = 4 bytes hash (same as in filename)
0x50-0x57 = unknown
0x58 = Number of Filepaths referenced
0x5C-0x63 = unknown
0x64 = Offset to Block containing Filepaths (DWORD)
0x68 = Length of Block containing Filepaths (DWORD)
0x6C = Offset to Volume Information Blocks (DWORD)
0x70 = Number of Volume Information Blocks present (DWORD)
0x74 = Size of all volume info blocks (DWORD)
0x78 = unknown
0x7C = unknown
0x80 = Program Last Execution Time (1) (FILETIME)
0x88 = Program Last Execution Time (2) (FILETIME)
0x90 = Program Last Execution Time (3) (FILETIME)
0x98 = Program Last Execution Time (4) (FILETIME)
0xA0 = Program Last Execution Time (5) (FILETIME)
0xA8 = Program Last Execution Time (6) (FILETIME)
0xB0 = Program Last Execution Time (7) (FILETIME)
0xB8 = Program Last Execution Time (8) (FILETIME)
0xC0-0xCF = unknown
0xD0 – Number of Executions (DWORD)

Thursday, 3 October 2013

Mounting Encase Images the easy way in Ubuntu13

This post continues from the earlier one (mounting DD images in Ubuntu13 with one click). Now we want to do the same for E01 images. We will use the mount_ewf python script from the libewf project to accomplish this. Follow the instructions given below:

1. Download and install libewf from Ubuntu Software Center.
2. Download mount_ewf-20090113.py from here.
Rename to mount_ewf.py and copy it to /usr/bin folder. Set 755 permissions on it so it can be read and executed by all users.

This python script requires a mount point location (folder) to be specified. For every image we want to mount, we will need to create a new mount point and then feed it to this script. We will create temporary mount points under /tmp. Each mount point will be named ewf_NAME.

To make this mount on 1 click and mimic the default image mount function, 3 things need to be done:
1. Create a mount point.
2. Run mount_ewf.py script to mount the image.
3. Mounted image folder should pop up in Files Explorer.

To automate this to 1 click, launch 'Nautilus-Actions Configuration Tool' and create a new item. Lets call it 'Mount E01 to DD'. In the 'Command' tab fill in the following details:

Path: /bin/sh
Parameters: -c "mkdir /tmp/ewf_%b";gksudo "mount_ewf.py -o allow_other %f /tmp/ewf_%b";nautilus /tmp/ewf_%b
Working directory: %d

(note: there are no line breaks in parameters, it is all in one line) Don't change anything in the parameters, especially the quotes. I've settled on this command line after many iterations of failed attempts. This one takes care of all spaces in file names (and file paths) and should be fine for everyone.

In the 'Basenames' tab, create 2 filters for filename as '*.E01' and '*.e01' so that the menu item only shows up for files with an E01 extension.

One more setting is required to make this work. In the 'Execution' tab, select 'Display Output' under Execution mode. This won't work otherwise.



Thats about it. You should now see a menu like the one shown below when you right click on an e01 file. Choose 'Mount E01 to DD' to mount it to a virtual DD image. The folder should popup upon operation completion. Now right-click on the DD image file and select 'Mount DD image' to mount the partitions.


Now for the unmount command. I've created a simple generic 'Unmount all' command that unmounts all E01 files that were previously mounted (using our one-click solution). Since we do not maintain any record or database of mounted files, we simply reply on file names to identify mounted folders under /tmp.

In 'Nautilus-Actions Configuration Tool' create a new item called 'Unmount ALL E01s'. Under 'Action' tab, check the 'Display item in location context menu' checkbox. This enables the option to show up even when there is no file selected and you right-click. In the 'Command' tab, fill in the following details:

Path: gksudo
Parameters: umount /tmp/ewf_*; rmdir /tmp/ewf_*
Working directory: %d

In the 'Execution' tab, select 'Display Output' under Execution mode.

Thats it! Do remember to unmount your virtual DD images in File Explorer before trying to unmount the E01.

Here is a video showing the entire concept implemented on my machine.