Tuesday, October 31, 2017

FindUSBMC updated – v20171030

I’ve updated FindUSBMSC to allow it to handle corrupted gzip files. You can find the latest version on my GitHub page at the link below.

Download

Here’s where you can get version v20171030

Change log

# v20171026 – Fixes issue with gzipped logs not being processed due to wrong variable being returned.
# v20171030 – Add code to allow gzip to ignore crc errors in gzip

 

Enjoy!


by Dave via EasyMetaData

Tuesday, October 17, 2017

Update to FindUSBMSC.py for #macos #USBMSC parsing #dfir

FindUSBMSC is a script to parse the system logs on macos. It looks for USBMSC storage device plugins and links them back to the product information. This release includes some important fixes and improvements.

# v20171016 – Logic cleanup. Improve pid and vid parsing. Added list of unique devices. Added options parser.
# v20171017 – Add option to parse any file or just system log files. Useful for carved logs.

You can download the latest v20171017 from the following locations:

http://ift.tt/2gLBnpY or

http://ift.tt/2ig9CcH


by Dave via EasyMetaData

Monday, August 28, 2017

Visual Studio registry artifacts – part 2 – MRU Items #DFIR

Welcome back to a review of Visual Studio registry artifacts. In Part 1 I discussed “Find & Replace” as well as the Visual Studio 2017 registry hive that is separate from the NTUSER.DAT (HKLU). In this post I want to briefly show you that Visual Studio keeps its own Most Recently Used Item lists. Below you can see two categories, the “MRUItems” that capture activity throughout Visual Studio and another MRU under “SourceControl\History\…\ItemMRU”.

MRUItems – Most Recent Used Items

These lists can show you a variety of MRUItems. Granted my testing on the variety of items that are captured is limited here are a number of items I have observed”

  • Modules such as “xamarin”
  • Access to source code repositories including hosted TFS and GIT repositories
  • NuGet repositories

 

 

 

 

 

Below the “Items” shows access to various source code repositories

 

 

 

 

 

 

SourceControl MRUs

The source control MRU’s can be found in “\Visual Studio\<VS #>\SourceControl\TeamFoundation\History\…\ItemMRU”. This MRU does basically what the name implies, it shows user access to Source Code repositories. Specifically it shows user access to Team Foundation source code repositories. There are a couple of repository type, Team Foundation Server (TFS) and Git. The TFS can be a local server or a hosted account on visualstudio.com

 

 

 

 

 

 

 

 

This information is rather specialized but it’s yet another place to look for user activity in your review of a system. I hope you find this information helpful.

 


by Dave via EasyMetaData

Wednesday, August 2, 2017

Visual Studio registry artifacts – part 1 – find & replace #dfir

When you use Visual Studio it leaves a lot behind that is valuable to an investigator. A valuable trove of information may exist. We are going to review briefly the “Find and Replace” history that gets left behind.

Find and Replace

 

Registry location

“…\Software\Microsoft\VisualStudio\<version #>\Find”

Below you can my see Find history.

 

 

 

 

 

 

 

 

Why is it there? When you open the “ctrl+f” find window you can see text you searched for and it’s likely just pulling from the list of key’s in the registry. Notice above “listBoxControl1” shows up in the registry and the drop-down in Visual Studio 2015.

 

 

 

 

 

 

 

Where to find the “Find & Replace” history

I have not found any differences to the the way the history was stored in 2017 vs 2015 other than it is outside the standard user hive in Visual Studio 2017. See below that 2017 keeps it’s own registry hive!

Visual Studio 2015 and prior

The history for “Find & Replace” is kept in “C:\Users\<username>\NTUSER.DAT”

 

Visual Studio 2017

In Visual Studio 2017 Micros*ft moved the registry entries off into a separate regf (hive) called “privateregistry.bin”. I’m guessing this change is for cross platform compatibility?

The hive path in my configuration is “C:\Users\<username>\AppData\Local\Microsoft\VisualStudio\15.0_3baffadb\privateregistry.bin”

 

 

*My configuration for testing is Visual Studio 2017 on Windows 10 Pro.

Wrapping up

When reconstructing user activity it’s important to think through all the possible sources of useful information. A lot of people write code these days and Visual Studio is a popular tool due to it’s great IDE and it is free to use. The possible scenario’s for why a user was using Visual Studio are numerous, from writing malicious software to source code re-use. Hopefully this helps in the quest to answer “what were they up to” next time you are looking.

*For registry analysis I recommend RegistryExplorer.

Enjoy!

Dave


by Dave via EasyMetaData

Saturday, June 24, 2017

MetaDiver 3.1.2 released

MetaDiver 3.1.2 has been released! The latest is available for download.

http://ift.tt/1BFPceC

v3.1.2 (build 1635)
-bugfix to button for mapping gps for pictures
-update settings mapping db default templates
-remove old “Type” column mapping from shortcuts
-cleanup tika logging for no metadata. Moved from error to debug log and removed error on individual null fields causing false positives.

 

Enjoy!

Dave


by Dave via EasyMetaData

Friday, June 16, 2017

MetaDiver 3.1.1 is released

The latest version of MetaDiver is available for download.

Download: Metadiver 3.1.1

Numerous improvements from previous release. Using the latest version is highly recommended!

Changelog

v3.1.1 (build 1623)
-bugfixes to paging in Review window
-fix to keyword search not pulling back hits in some cases
-prevent empty line in keywords on save
-performance optimizations
-resized evidence path window on process form
-bugfixes

v3.1.0 (build 1620)
-check for update ui change
-package update for ElastSearch.Net 5.4, DocumentFormat.OpenXML, AlphaFS 2.1.3
-fix case info form fields not saving

v3.1.0 (build 1602)
-upgrade outlook redemption from 5.10.0.4312 to 5.14.0.4798
-fixes minor issues with filtering
-preview email fixed when column profile changed from summary
-fixed temp directory issue when cleaning it up.
-fix keyword search issue with switch to generics
-fix sorting of dropdown on review window
-review window – metadata fields now uses 3rd party control for better look and feel
-review window – metadata fields now show all fields every time you select a row
-udpated filterlist for filtering by specific extensions on intake
-renamed about to ? and reated submenu’s from menu bar
-added feedback option from ? menu item
-change parser mapping to x-parsed-by for openofficexml docs and email msg via redemption
-updated SQLite Core to 1.0.105.1
-bug fixes

v3.0.1 (build 1588)
-improved tika handling with task timeout
-fixed handling for tika hang/bug on rotten officexml docs
-added back the fallback to ms openxml document mapping when tika hangs on faulty officexml format
-added back the fallback to ms openxml document mapping when tika fails to parse officexml format
-memory leak fixed
-change lnk file parser info field mapping to “x-parsed-by” from “parsed”
-improved tika metadata parsing
-added new metadata field mappings
-keywords run save to caseinfo.json file
-intake path’s save to caseinfo.json file
-bugfixes

 


by Dave via EasyMetaData

Thursday, May 4, 2017

Upgraded hosting hardware

In the past week I moved the websites to vps from shared hosting for www.easymetadata.com and www.redrocktx.com. I’m noticing a huge difference for $4/m more. I know I’m stubborn for not ditching the whole website thing and moving to medium.. I’m just not that hipster. I like having a shell and control.

Anyway, hopefully you notice the improved responsiveness as well!

Enjoy


by Dave via EasyMetaData