Monday, May 16, 2016

MetaDiver 2.5 released!

I’m happy to announce that MetaDiver 2.5.0 is available for download. This is a big release with some fun new stuff.

In this release there are a number of important and exciting new features

You can now build your own column profiles for different document formats when reviewing meta-data. It’s a simple builder but you can build profile for any set of columns.


Also in this release I’ve introduced 3rd party controls to improve the user experience. You will notice you can ctrl-f to search for text in Tika Strings and Binary Strings! It even supports regex.


You can now filter on a cell value in the grid. This is a nice time saver I have found especially when going through email. An example is when you find a sender or subject or conversationid and then filter on it. You then have just the results for that value showing in the grid!


When selecting a column to search from the drop down it will now auto search to find your text as you type. This makes finding the column you want much faster!


You now select the Columns you want to be exported in the Export window. I know this is a long time coming.


Other stuff includes:

-fix status bar on hex and binary strings screens.
-culling columns is now optional
-fixed email mapping for message last modified time
-added check for path's longer than 255 when selecting case path
-"select all" added to grid
-misc bug fixe

There is more but I’m tired of screenshots. I hope you enjoy this release and use the product. Look forward to feedback!

You can Download MetaDiver 2.5.0.


by Dave via EasyMetaData

Monday, April 18, 2016

Turn #PowerShell into #EXE

Putting together EXE’s has become common practice to simplify script deployments and satisfy dependencies on client systems no matter what the programming language be it perl, python or.NET code. Packing dependencies for the script into native code you don’t have to worry about pesky dependencies. Now there is a tool to turn PowerShell scripts from EXE’s utilizing WinRAR’s self extracting executable capabilities.

The tool description is from TechNet:

“Here is a little tool in Powershell which allow you to create an EXE from your Powershell script.A self-extracting archive with Winrar will be created and your PS1 script or GUI will be launched automatically after running the exe file. “

The disclaimer is that it’s not actually native code. What’s happening is the tool is that it’s creating a self extracting sfx archive through WinRAR. When a user runs the exe you created, lets say “dosomething.exe”the self extracting rar extracts the powershell script and runs it. There are multiple reasons to do this, the most obvious is to simplify the process for users that will be confused when asked to run a powershell script. The other is that you can deploy other dependencies with the powershell script such as configuration files, .NET assemblies that the script may call as well as applying other settings that may be necessary for the script to do it’s job.

The tool is called “PS1 To EXE Generator” and can be found on the TechNet website from the link below.


by Dave via EasyMetaData

Friday, March 25, 2016 to find bitness

Introducing a simple console app to find the outlook bitness and version information. Works with oem and office365 installs.

You can get the source from my GitHub page at


by Dave via EasyMetaData

Saturday, March 12, 2016

Lets say someone hacked your accounts

Inevitably someone is going to have an online account hacked. Someone gets access to your email, cloud or phone using your information through various means. They could have done this because they want something or they just don’t like you, the list is long. Recently someone was in this exact situation and needed some advice. I put together some notes that I would likely follow in this situation to try to help this person out. These are just thoughts about steps I would try to resolve this situation… I make no guarantee’s that these steps will be enough!
Steps to consider (in no particular order)

-Security questions: You should make fake questions and fake answers for security challenges on for your online accounts. No one can guess something that isn’t part of your personal information.

-Should you contact the police: If you are concerned about fraud and are considering contact the police don’t expect them to solve the hacking. However, filing a police report is probably a good step for documentation if the bad guy begins identity and/or bank fraud. This way if you need to work with your bank to get money back you have the police report as documentation even though the police may not be able to do squat to stop this person. The hardest thing for people to realize is that their information is attainable online so a lot of “security questions”, your ssn and contact information are completely useless for protection against a motivated bad guy.

-iCloud/Play: Remove all of the authorized apple devices from apple account and reauthorize just the ones you need. Remember that iCloud replicates your text messages and calls across all of your authorized devices.
-If a device has been sold or stolen without being wiped then someone could be using information from that old device to get in to your account.
-If you are using iCloud to backup the phone and your account is compromised then this person may have access to your cloud backups by downloading them. So turn cloud backups off temporarily. Remember the hacked iCloud photos called “the flapping”? Photo’s weren’t the only thing stored in those celebrities iCloud accounts…
-iCloud keychains: stop replicating to the cloud temporarily. You can turn this off from your phones iCloud settings.
-Cloud backups: You should turn off iCloud backup temporarily until the intruder has been stopped from accessing the account. Turning off iCloud backups is pretty easy. On the phone just go to Settings, iCloud, scroll down to “Backup” and turn it off. If worried about losing information from the phone in the event the phones dies or is lost you can backup using the  iTunes app on your own computer. This way the backup is local.  Keep in mind that you should only do this backup on a computer you feel is not compromised.
-Use secret accounts: Consider creating a new email account that only you know about on say or and use that for logging into your apple devices for now.  You can then still setup iMessage to use your current email address but it wouldn’t be the email address that a person could get access to your cloud accounts with if they called support to social engineer access back in to your account.

-Two Factor protection:

-Enable the two factor authentication on everything that supports it so someone can’t just access your account with a password reset. They could be intercepting your text messages so temporary passwords via text messages aren’t enough. I suggest using an Authenticator app and possibly a U2F key. There are Authenticator apps for Apple, Microsoft and Google. They act like an RSA key fob that you get issued by banks and large companies and work by giving you a temporary numeric key that changes every 30 seconds.

-Two factor (Apple):

-Two factor (Google):

-Two factor (Microsoft):

-Two Factor Auth (U2F key) – An additional step is to also use a U2F key to authenticate with your password manager and even many websites like Dropbox and google allow the use of a U2F key in Google Chrome browser. Firefox is not yet supported.

-Two factor: make sure you changes his email passwords as well and sets up two factor authentication on those email accounts as described above.

-Banking: Get an RSA key fob. They are often free from your bank or broker. Also ask about other forms of two factor authentication. If they do not offer an RSA key ask what options are available. Also ask how they protect your account when someone calls them. Often the biggest security risk to your account is customer service.


-You should change the passwords for your cellular wireless carrier in case the bad guy is calling your wireless carrier to get access to your phone. Once again use fake questions and passwords and a secret pin if available. You should keep those security questions private. For now don’t keep them electronically on your devices or computers. Just keep them on piece of paper at home, not on the computer you suspect.

-Never* use your work computer or public computer to access any sensitive accounts in case it’s a coworker or hacker has gained access through your work systems. The same logic extends to public wifi. Don’t ever login to your accounts on a free wifi without a VPN to encrypt your wireless information. One VPN service is for your computer and phone, it’s around $40 a year. There are a lot of VPN service o ptions out there.

-Use a password manager.  I like Dashlane for simplicity, it costs $40 a year and works very well. this way every single website will have a separate password and you just use a master password to access your password manager. 1password is also very good and cheaper $12/year, but more complicated, it uses either iCloud or Dropbox to store the information. A free option that works very well but is not as easy to use and is not really multi-device is KeyPass password manager.

-Check the email addresses that are linked to your account. You should only have the ones you intend associated and no more. If you have addresses you don’t use or don’t recognize then remove them.

*Always have your computer up to date on security updates.

*For checking for malware on my computer i often use MalwareBytes, it is free for basic stuff.

*For virus scanning Windows Defender Offline is free and Microsoft provides a download to create a bootable thumb-drive you can use to boot into and scan for viruses and rootkits.

-Change your wifi password and router password but mostly the wifi password. if it’s an wifi device provided by your internet provider then you may have to call them. Make sure you have WPA2 enabled on your wireless router.
-If all else fails: If none of these steps have worked then someone may have a keylogger installed on his computer(s) and consider reinstalling them from scratch including the phones. that would be a phone reset. If still on XP then upgrade to windows 7 or 10, yesterday. If on Windows 7 consider upgrading to Windows 10. If on a Mac consider reinstalling after backing up important files to a hard drive/thumb-drive. If an old version of MacOS, upgrade.
Online vendor guides for hacked accounts

Look, I know this is a *lot* of information for the average person, but getting someone out of your systems can be a pain if they are motivated and know what they are doing. These are all steps I would consider in this situation and I do them regularly. A lot of this stuff may sound like overkill but it really isn’t anymore. The bad guys are really clever and the techniques are constantly evolving.

-Good luck



by Dave via EasyMetaData

Tuesday, December 15, 2015

MetaDiver 2.4 is out! Tool for #metadata and #email review #dfir #infosec

I am pleased to announce that the latest version of MetaDiver (2.4.0) has been released.

In this release there are a lot of nice new features and improvements including a single download with outlook bitness detection, hex viewer, binary strings viewer (thanks to Eric Zimmerman’s excellent bstrings) and many more. The expiration date has been removed so it will no longer expire. You will notice the jump in versions since 2.2.1, this release is a cumulative release.

Website: MetaDiver homepage

## changelog (MetaDiver changelog)

-added: copy cell contents in datagrid
-added: log window browse log folder
-added: update notification in status bar
-updated: bstrings to latest that can account for strings across sector boundaries
-added: when viewing tika strings of a email from a PST tika now shows just the selected message.
-fix: check for update bugfixes
-gui fixes and changes
-various bug fixes

-Review: added Hex viewer
-Review: added binary strings viewer
-Review: added column filter by group
-Review: added open file and open file location
-removed expiration from MetaDiver
-email processing: updated dll's resolve outlook 2016 mapi bugs

Send questions or issues to


by Dave via EasyMetaData

Thursday, November 19, 2015

#MacOS #DiskUtil not logging erase action in #ElCapitan #dfir

I have been doing testing with MacOS 10.11, El Capitan. Specifically I wanted to see if erasing a disk or disk partition using DiskUtil would leave a DiskUtil.log as it did in previous versions of MacOS. So far I have been unable to cause a DiskUtil.log to get created. I have read that DiskUtil has been rewritten as an ‘overhaul‘ in El Capitan.


Has anyone experience the same lack of logging? Has the log been moved/combined with another log? If the logging has been moved, where is it now located?

If you have answers let me know!


by Dave via EasyMetaData

Monday, September 21, 2015

MetaDiver – latest build update. New features, new look.

Version 2.2.1 has been released.


  • Support for TikaOnDotNet a .NET implementation of the Apache Tika framework using a .NET java runtime environment.
  • Support for ElasticSearch added.
  • Save case settings.
  • A lot of user interface improvements. I hope you agree!

Go get it!
Download MetaDiver


MetaDiver changelog

-sqlite db handling improvements
-ui improvements
-bug fixes

-New look and feel on main screen.
-Case Info added and persists.
-Case Settings cleaned up.
-various bugfixes and enhancements.

-Elastic Search indexing added.
-Tika support added.
-Review window: Document Strings view using Tika.
-Tika instead of Shell for file metadata for other files (files without specific parsers).
-Tika now default for open office, .url, .exe and all misc types.
-Tika is now fallback for .msg, .eml and .emlx when outlook not installed or cdo not an option.
-Tika also gets used for other graphics/media files such as .tiff, .nef, .png and .gif, .mp3, .mp4, etc...

by Dave via EasyMetaData