ZENA FORENSICS

Sometimes you need something open ... This post briefly introduces the teleparser script, whose goal is to parse the Telegram cache4.db . Honestly speaking, I would have done something else, but the coding (better, decoding ) job was born with a real case few months ago. Suppose you have a truly important cache4.db, a file containing every non-deleted and synced chat of the suspect, together with his encrypted p2p chats. Suppose that all the major well known commercial solutions are unable to properly parse that database: or, if able, they provide slightly different results. Again, the db content represents a crucial evidence. On which tools' outputs, if any, would you rely on to report evidences ? That's a classical example where the digital investigator must be able to explain every single bit there ( theoretically, he should always be ). Point is, the cache4.db is not just a simple SQLite database, but it's a SQLite database containing a lot of binaries ...

Windows Vaults  and Credentials  allow the user to store sensitive information such as user names and passwords , that can be later used to log on web site, services and computers. In this post it will be shown how such data is protected and how you can decrypt it offline. This post is a very late debriefing of the talk I had at  SANS DFIR Summit Prague 2015  and it's the first of two posts. You can download the slides from  SANS Summit Archives  or from  SlideShare . introduction I've never used Vault/Credential facility on purpose, even if the system used it without my knowledge : it's worthwhile to know that Windows autonomously uses it almost every day. In any case, we can find sensitive information there, and this is the reason I started this research, as to have a little more strings to my ODI  ( Offensive Digital Investigations ) bow. Windows provides two utilities to manage such credentials, the graphical  Credential Mana...

Those who follow this blog may have noticed few months ago a post that introduced WhatsApp Xtract: this script was able to display in an HTML document all the WhatsApp messages extracted from an iPhone. A nd those who follow the xda developers forum may have recently noticed a thread on it. This last month, thanks to Martina Weidner (aka ztedd) who has decided to take control of its development, we have obtained valuable results. Intro: WhatsApp  is a widespread instant messaging application for smartphones, available for iOS, Android, BlackBerry, Symbian and Windows Phone. The chance to replace the traditional SMS service avoiding its cost, has allowed this application to gain popularity very quickly. The automatic synchronization of the app to the phone address book, the unlimited message length and the possibility to share an high range of multimedia attachments have persuaded many people... and who cares if it has suffered from some security issues !...

I don’t want to bore you explaining what is WhatsApp . If you have this serious gap, you can fill it here .  Forensically speaking, WhatsApp was a very cool app until the last June. After that, someone had decided to add the extension “crypt” to such excellent source of information which was msgstore.db . This database stores information about contacts and also entire conversations. But simply opening it with SQLite Browser , you can have some troubles in extracting a single chat session with a desired contact, or in reordering the messages. My last python script wants to overcome these problems, avoiding to deal with complex SQL queries. Now, you need only to decrypt that file! Go to the repo.

Exif metadata are wonderful. Just think about all the fields listed in the Exif standard: a great bunch of information is available for each image. When the picture was taken? And where? And what camera was used? And what were the f-stop and exposure settings? And who was the photographer? ... damn! Why the author field is always empty? Anyway...Exif metadata are definitely marvelous. The problem is that commonly, pictures and related metadata are too numerous and this prevents an efficient inspection of the files during a digital investigation. So there is a need of aggregation of the information: for the picture content the problem is hard, also using machine learning algorithms. But in the case of metadata, a smart way to show them can alone lead to evidence discovery, or at least to form a suspicion! And that is what EXIF summarizer tries to do: given a directory (the root directory is fine), it recursively scans all the folders, reads the EXIFs and composes a table wi...