Posts

Showing posts from 2011

WhatsApp Xtract

I don’t want to bore you explaining what is WhatsApp . If you have this serious gap, you can fill it here .  Forensically speaking, WhatsApp was a very cool app until the last June. After that, someone had decided to add the extension “crypt” to such excellent source of information which was msgstore.db . This database stores information about contacts and also entire conversations. But simply opening it with SQLite Browser , you can have some troubles in extracting a single chat session with a desired contact, or in reordering the messages. My last python script wants to overcome these problems, avoiding to deal with complex SQL queries. Now, you need only to decrypt that file! Go to the repo.

Exif Summarizer

Exif metadata are wonderful. Just think about all the fields listed in the Exif standard: a great bunch of information is available for each image. When the picture was taken? And where? And what camera was used? And what were the f-stop and exposure settings? And who was the photographer? ... damn! Why the author field is always empty? Anyway...Exif metadata are definitely marvelous. The problem is that commonly, pictures and related metadata are too numerous and this prevents an efficient inspection of the files during a digital investigation. So there is a need of aggregation of the information: for the picture content the problem is hard, also using machine learning algorithms. But in the case of metadata, a smart way to show them can alone lead to evidence discovery, or at least to form a suspicion! And that is what EXIF summarizer tries to do: given a directory (the root directory is fine), it recursively scans all the folders, reads the EXIFs and composes a table wi...

Windows Security Descriptor Binary (a Perl parser)

Image
Some days ago I was messing up with RegRipper plugins , and in particular I was using the " shares.pl " plugin on one of my cases. This plugin parses the content of the registry key "SYSTEM\CurrentControlSet\Services\LanManServer" (please ignore case) and returns the values of the subkey " Shares ", which are the explicit shares (Microsoft File and Printers Sharing) created by a user. Under "Shares" there should be a subkey called " Security " and under it as many REG_BINARY values as shares (I found a case with two shares and only a security value related to one share: I did not go in deep with it, another todo added...). I gugled around but I was unable to get useful stuffs (like tools) or documentation about the nature of that binary values. What I found was a post in the great win4n6 mailing list but with few interesting points. From there I posed to myself the following question. A Windows Security Descriptor? I tried t...

First one

I must admit I had to think many seconds about "opening" a blog... In the past (oh my! almost ten years ago?!) I used Usenet, a really great distributed resource... now pugol has my email, my navigation (at least when I do not try to avoid it), my pluses and... my blog (I forgot some my translations too). All in its hands... it's something that's make me (a little) scary... Sometimes it's being said that digital information is volatile : hum, technically speaking yes, sometimes a lot. But here I'd not apply such characteristic... I had a lot of - probably - useless thoughts about my first post but I do not want to loose too much time by sharing non-techical details, not now.