ForensicDev

Parse iPhone sms.db data file

2009-11-15T14:10:00.004-07:00

A fellow examiner at the Lakewood PD had to examine an iPhone and was researching the sms.db format. Under normal circumstances, the sms.db is a SQLite database, however, and for currently unknown reasons, when loading the sms.db database file into SQLite, it only provided the most recent SMS record. We were quick to load the database file into a HEX editor and identified that additional SMS records were in fact still present within the file. This discovery led to my involvement in writing an EnScript to parse the SMS record section within the sms.db database file.

The EnScript can be downloaded here: CellPhoneMessages

EnScript :: Long File Path export

2009-09-22T17:42:00.000-06:00

Hello everyone --

I thought I share a little EnScript I wrote which deals with long file path export issues. The script I wrote basically does the following:

This EnScript plug-in is used to identify and export entries which would exceed the path depths limitations of 245 characters during a normal export. The script will loop through entries that are blue-checked and exports entries which exceed the above limit based on the FullPath column and the specified export path.

The script will export entries that exceed the 245 character limit. Once exported it will also "uncheck" them. This should leave you with items you can safely export using the native EnCase Copy Folder... function.

The script will create a subdirectory called "pathdepth" inside the user specified export folder and export data using the Logical Size of an entry. In addition a log file is created which contains the reference to the original entry details.

Since the script generates a flat export, it renames the files with a prefix to guarantee uniqueness. This prefix is actually the MFT record number on NTFS volumes (File Identifier).

Please report any bugs or suggestions to: forensicdev (at) gmail (dot) com

NOTE: No guarantee is made that this EnScript is error free. Please use at your own risk and validate your findings.

ver 1.0.31 : 22 September 2009
+ (fixed) total byte size of selected files keeps increasing if going back and forth with new destination path
+ (fixed) split file type extension into own column in export log
+ (fixed) exclude case name in path upon export
+ (fixed) remove CaseName from path calculations
+ (fixed) add original file name to export log
+ (fixed) uniform export format: with MFT FileIdentifier available (file.ext_id.ext), without MFT FileIdentifier availabe (file.ext_hash.ext)

The EnScript can be downloaded here: Long File Path EnScript (updated v1.0.31 - 09/22/09)

ver 1.0.9 : 10 October 2008
+ added MD5 hash value to the exported file name if no MFT file identifier is available.
File Identifier is only available if the MFT is within the evidence file. In case of a LEF
that doesn’t have the MFT, it shows a zero.
+ added check if entry is folder. Folders are not considered for export.

The EnScript can be downloaded here: Long File Path EnScript (updated v1.0.9 - 10/01/08)

This script was written and tested in EnCase v6.11.2. Please keep in mind that his is the first (beta) version.

NOTE: No guarantee is made that this EnScript is error free. Please use at your own risk and validate your findings.

What EnScript / Windows app would help you during investigations?

2008-12-07T00:01:00.006-07:00

Not that I am looking for more work, yet I am always looking for a challenge to develop something which helps you during investigation or makes processes more repeatable and less user error prone. So I am wondering what possibly would make your life easier during an investigation? What type of EnScript for task automation or data analysis would be of use to you; or what application outside of EnCase would be of value and help make you more efficient in your job? Sorry, still working on finding the "Easy" button myself to find all relevant evidence in a case. =)

Seriously though; what task during an investigation do you find tedious and think could be automated or perhaps aided within Encase via an EnScript; or what type of standalone application would be helpful to you and currently doesn't seem to exist?

Thought, ideas and comments are welcome.

Test Results for Digital Data Acquisition Tool :: Tableau Forensic Duplicator TD1 (part 1)

2008-10-10T17:24:00.029-06:00

Disclaimer: This is an independent review and its purpose is to share knowledge of things noticed and tracked when using the device. The integrity of the acquisitions made during this review were validated through MD5 hash values using EnCase (v6.11.2) and FTK Imager Lite (v2.5.4). Sorry, yet you are still responsible for your own testing and validation.

With two brand new Tableau Forensic Duplicators (TD1) on my desk, I thought I share my testing results. First I would like to point out some of the key features I immediately noticed.

Compact design
A large and clearly readable LCD display
Easy to navigate menu items
Ability to enter the investigator's name which will show up in the log files created during acquisitions
Internal clock (date & time)
SATA interface for source and destination
IDE interface for source and destination

This round of testing focuses on the disk-to-disk and disk-to-file duplication feature. The Tableau Forensic Duplicator can be configured via its menu to default straight into disk-to-disk or disk-to-file acquisition mode. Ultimately turning the unit into a single button acquisition device, which makes training someone who only acquires drives very straight forward. What I really like about the TD1 is the fact that it has IDE and SATA interfaces for both the source and destination hard drives. It is possible to connect drives in any combination.

Disk-To-Disk Acquisition

The fastest acquisition method seems to be the disk-to-disk mode. Using this mode, I was able to image a 40.0 GB Western Digital IDE drive in 18 minutes. The image was done from IDE to IDE (see disk information at end of review) with MD5 and SHA1 calculation enabled. The LCD menu provides all necessary information during the imaging process. You see the percentage of completed transfers, MB/s rate, total size imaged. Upon completion the TD1 shows the information an examiner would expect: method of image, date, start time of acquisition, examiner name, source drive information, destination drive information, error counts, MD5 and SHA1 values.

The log information created in this mode only exists within the device itself and is somewhat limited compared to the log file created when using the disk-to-file mode. One shortcoming of this mode is that log information available via the LCD doesn't show the end time stamp of the acquisition. I yet have to test if it is possible to download the log via the USB or 1394 interface to see if more information is actually captured than displayed on the LCD screen.

Disk-To-File Acquisition

The TD1 allows splitting the raw image files into 4 GB, 2 GB, 1 GB and 700 MB chunks. At this point the Tableau does not allow the creation of one single raw image. I was told that it might be available in future firmware upgrades. The TD1 allows spanning the image files onto different destination drives should the currently connected drive fill up.

I saw the following performance when imaging a 40.0 GB IDE drive onto a 160.0 GB IDE drive (see disk information at end of review). The images were accumulative onto the 160.0 GB drive to fill it up and test the spanning feature. Both MD5 and SHA1 was calculated.

4 GB chunks
11 chunks created
28 minutes

2 GB chunks
21 chunks created
29 minutes

1 GB chunks
41 chunks created
32 minutes

700 MB chunks
58 chunks created
37 minutes

As desired all hash values matched up and no errors were recorded.

Summary
Thus far, I like the Tableau Forensic Duplicator (TD1). The unit appears to be very solid and as expected performs well. There are still more tests to do from a duplication standpoint. Plus, other features like disk wipe, blank test, error handling are still on my to-do list. The TD1 is reasonably priced (~$1,200) and should be considered as a contender if you are looking for a new disk acquisition tool.

Device Tested

Tableau Forensic Duplicator
Model TD1
Firmware: 1.10 (September 19, 2008 / 16:44:44)

Source Drive

Model: WDC WD400BB-23DEA0 (40.0 GB)
Firmware Revision: 05.03E05
HPA in use: No
DCO in use: No
ATA Security in use: No
Cable/Interface type: IDE
ATA PIO mode: PIO 4
ATA DMA mode: UDMA 5

Destination Drive

Model: WDC WD1600AAJB-00PVA0 (160.0 GB)
Firmware Revision: 00.07H00
HPA in use: No
DCO in use: No
ATA Security in use: No
Cable/Interface type: IDE
ATA PIO mode: PIO 4
ATA DMA mode: UDMA 5

Be aware when adding raw DD images to EnCase

2008-10-07T17:06:00.012-06:00

I just received the new Tableau Forensic Duplicator (TD1) to put it through its paces. So the first test was a to image a 40GB drive. I did so by using the 2GB DD image file options. The imaging with the unit went as expected.

When adding the DD images to EnCase I ran into a little snag however. Wrote a song about it, wanna hear it? Here it goes...

Started EnCase, created case, opened the "Add Raw Image" dialog.

Then went ahead and opened the dialog to add the "Component Files".

Selected "Image.001" + SHIFT + selected "Image.021".

Clicked "Open" in the dialog box, and clicked "OK" to add the raw image.

The result: Nothing, nada, nichts; well if you call Unused Disk Area nothing.

So I tried again. This time by only selecting the first of the raw DD images. No luck either. This time I got at least an error message.

I began to question the Tableau's DD format. So I fired up FTK Imager and tried loading the image, which worked without any problem.

Not wanting to give up I reached out to EnCase support and it turns out there is a simple, yet very important way to add raw image files.

I did everything right up until selecting the actual raw image files.

The critical thing to remember is the ORDER in which the raw image files appear in the "Component Files" window when adding raw image files. So in my case above, notice that on #1 position it shows "image.021". Not good.

The trick is to actually select the raw DD image files in reverse order such as:

Select "Image.021" + SHIFT + select "Image.001".

If you select files any other way, you can drag and drop the various component files within the "Add Raw Image" window if needed.

Hope this helps others.