Windows lnk files are very useful source of forensic data. It is not easy to get in analyzed and ordered on their attributes. Traditionally we are usually looking for volume serial numbers to corelate evidence. So how we can do that in ENCase v7 ? Here is the example based on Forensic II training evidence files which I am often using in training Forensic II sessions to extend the idea of condition and filters. I often find people are not thinking in condition way when they are using EnCase.
On the picture is link file „Final Cawin Weapons Purchase Order 2-7-2011.ppdf.LNK“ shown with its attribute bar expanded to „Link Data“ folder. There are two columns automatically populated by encase, “Name” and “Value” for attribute pairs parsed out of file content. Since this view is available under attribute tab we can create condition based on this values and find which link files has same set of attributes like pointing to the file system with same serial number. Basically we have to ask two things Attribute name is „Serial Number“ and Attribute value is „6A97-109C“ this should return a list of lnk files which points to same file system For that we can create a new condition but there is a catch, since a attributes and not listed in table view column names but in view pane we have to go trough filters in conditions to get a new function which will address attributes name.
This is the result of our action, in filters for AttributeValueRoot we created new filter ValueFS.
If we edit ValueFS filter we see it has exactly the same logic as we noted before (Attribute name is „Serial Number“) and (Attribute value is „6A97-109C“). This values are easily copied from EnCase, but I suggest to save attribute view into txt file and do copy out from there.
Here is this filter applied in condition wizard, it is called as always filters are called trough „equal to“ construct to catch that entries on which filter return hit.
This condition works as any other condition, called from condition tab. It is a good idea to put some meaningful name to results like „Volume Serial XX“ so it is easy to follow what it is.
If you keep you conditions for future use it is a good idea to check ask for value and value required buttons, so you'll be able to reuse it for different combination of attributes and values.
Here we actually insert both values for attribute name and its value into condition box.
Results are as we expected list of lnk files which points to file system with same serial number.
This method can be applied to other objects which has attributes In Encase manual and on the excellent Lance Mueller site you can learn a lot more about conditions, filters and Enscript programming. http://www.forensickb.com/
Here is condition source code
class MainClass {
class ValueFSClass {
typedef String[] Array1;
class FilterDialogClass: DialogClass {
ArrayEditClass Variable1;
StringEditClass Variable2;
FilterDialogClass(DialogClass parent, ValueFSClass v):
DialogClass(parent, "Edit Conditions"),
Variable1(this, "Value matches", START, NEXT, 200, 102, 0, v.Variable1, REQUIRED),
Variable2(this, "Name equal to", START, NEXT, 200, DEFAULT, 0, v.Variable2, 512, REQUIRED)
{
}
}
Array1 Variable1;
String Variable2;
ValueFSClass():
Variable1{"6A97-109C"},
Variable2 = "Serial Number"
{
FilterDialogClass dialog(null, this);
if (dialog.Execute() != SystemClass::OK)
SystemClass::Exit();
}
bool Main(AttributeValueClass e) {
return Variable1.Find(e.Value()) >= 0 && e.Name().Compare(Variable2) == 0;
}
}
ValueFSClass ValueFSData;
bool ValueFS(AttributeValueClass root) {
forall (AttributeValueClass e in root)
if (ValueFSData.Main(e))
return true;
return false;
}
MainClass():
No comments:
Post a Comment