Friday, December 30, 2016

Added source for simple console app to dump metadata and content using #TIKA using .NET.

I decided I needed to put out a simple command line program for dumping metadata. It’s been sitting on my todo list for too long.  I’ve been using Tika for a long time now and it’s amazing how many file format’s it supports. The file formats it supports keeps grows with every new release. This is bare bones compared to MetaDiver and is strictly TIKA based.

TIKA supported formats: http://ift.tt/2imwF1I

There are so many supported format’s I can’t list them all.

I know we already have a lot of programs out there to for parsing metadata from files but most are commercial. Phil Harvey’s Exiftool is a free program that does an amazing job at metadata but you should always have another option. More importantly, each tool has limits to formats. Tika supports constuming exiftool  as of 1.9 to supplement metadata using the Java version! Pretty amazing.

I decided to keep it simple with the 1.0 release. You’ll get the key value pairs from the file metadata and you can also dump the text from the file to the console.

Sample output:

T:\MD_DumpCLI>MD_DumpCLI.exe -f "T:\Test_data\exif\IMG_0581.JPG"
Author:  David Dym
License: Apache 2.0
 http://ift.tt/1r8ST99

Filename: N:\Test_data\exif\IMG_0581.JPG

Aperture Value: f/2.8
Brightness Value: 5067/1265
Color Space: sRGB
Component 1: Y component: Quantization table 0, Sampling factors 2 horiz/2 vert
Component 2: Cb component: Quantization table 1, Sampling factors 1 horiz/1 vert
Component 3: Cr component: Quantization table 1, Sampling factors 1 horiz/1 vert
Components Configuration: YCbCr
Compression: JPEG (old-style)
Compression Type: Baseline
Content-Type: image/jpeg
Creation-Date: 2011-10-23T13:55:09

.... (cutoff the other 200+ fields)

Github Page: http://ift.tt/2imFVTo

Enjoy!

Dave


by Dave via EasyMetaData

Tuesday, July 26, 2016

Extract document #metadata – #Tika and #exiftool

Intro

Metadata is critical to any investigation. So much knowledge can be gleamed from the review of metadata from pictures and documents that it’s a big topic in the news. Look at the DNC hack last month. But for those of us in the digital forensics and the field of information security metadata has always been critical to our investigations.

If metadata is a new/confusing term for you then go read about it: http://ift.tt/12SKG6a

When using commercial products to some investigators trust the information from the commercial tools they paid licenses to use without validating the results using a secondary tool or reading the ‘release notes’ for caveats. Always read the release notes! It’s best practice to always test your tools to ensure you are not only getting accurate results but also as many results as possible!

Scenario

I have been reminded once again that commercial tools can miss document metadata. Sometimes its because you are running an old version, other times because you did not select the proper check box when processing, and other times the tool just does not support the document format. Some obscure document types have spotty records with even the most popular commercial software.

In this case the software uses file extensions to determine file type on a standard pass and if you didn’t run an extra processing option to have it use the magic header/document signature to determine document type the forensic tool would not parsed the metadata completely.

In this case a colleague was reviewing an office .xlsx document that showed only ‘content created’ and ‘source modified’ as the document properties. This looked fishy to me so I suggested that more data could be present by inspecting the file manually. In this case renaming the xlsx to gzip and unzipping it to read the .xml files manually.

Sure enough multiple fields including ‘author’, ‘last modified by’, and more were present! In this instance file properties under Windows only showed the ‘content created’ and ‘date last saved’. The same exercise could have been conducted using Tika or ExifTool. So, if I hadn’t suggested digging deeper the metadata might have been missed…

Metadata tools

I’ll list some tools I recommend for validating metadata results from documents and images below.  I’m also showing a way to run the Apache Tika tool that reads metadata from files under Windows without having to use Java! The reason this is fun is Tika reads a TON of file formats but is written in Java and I don’t like to install Java unless required and this will let you use it on any machine running .NET.

Free tools that get comprehensive metadata are:

Sorry for the shameless plug of my own metadata extraction tool called ‘MetaDiver‘ that uses Tika heavily for metadata extraction.

Tika in Windows

You can run the latest Tika on windows to inspect files individually.

To use Tika on Windows you will need to do a few things.

  • Download the Tika jar file here.
  • Download iKVM here.

Use the syntax from a command prompt “ikvm.exe -jar tika.jar” from the ikvm directory. It’s that simple.

start_tika_with_ikvm

tika_gui_with_ikvmtika_file_metadata_with_ikvm

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ExifTool

To use exiftool just download exiftool and run it from a command prompt.

exiftool1

ExifTool with Tika

According to the Tika documentation you can wrap Tika around exiftool to add even more information extraction. Tika already supports an insane number of document formats.

http://ift.tt/2auHpYp

I haven’t tested this configuration.

Wrap-Up

Exiftool and Tika are both free, well maintained, cross platform and regularly updated with the latest changes to document formats. Having the latest version because file structures change as software changes and testing the latest version are really important when it comes to metadata to ensure you can read everything from the file you are inspecting!

Beware of how the different tools handle dates regarding time zones, UTC vs local time and daylight savings time.

I hope you find this post informative and actionable.

Enjoy!

 

 

 


by Dave via EasyMetaData

Wednesday, June 29, 2016

New Forensic Image viewer under dev #dfir #infosec

There is a new forensic viewer in town called “Pancake Viewer”. It’s being developed by our good friend Forensicmatt known for the Triforce journal parser

Pancake viewer is there to review forensic artifacts interactively in a simple interface, for free. Its familiar and based fully on opensource libraries. If your curious about the backend it’s powered by python, libtsk and dfvfs and for the gui it uses wxpython.

What makes it different you ask? It’s the ability to explore the image and the volume shadow copies! Because its open source lgpl and python you can make changes to meet your needs as long as you share your changes.

Currently it’s an alpha project but moving quickly towards a working release.

Take a look: http://ift.tt/29cX5SL

Enjoy!

Dave


by Dave via EasyMetaData

Monday, May 16, 2016

MetaDiver 2.5 released!

I’m happy to announce that MetaDiver 2.5.0 is available for download. This is a big release with some fun new stuff.

In this release there are a number of important and exciting new features

You can now build your own column profiles for different document formats when reviewing meta-data. It’s a simple builder but you can build profile for any set of columns.

ColumnProfileBuilder1

Also in this release I’ve introduced 3rd party controls to improve the user experience. You will notice you can ctrl-f to search for text in Tika Strings and Binary Strings! It even supports regex.

Stringsctrlf1

You can now filter on a cell value in the grid. This is a nice time saver I have found especially when going through email. An example is when you find a sender or subject or conversationid and then filter on it. You then have just the results for that value showing in the grid!

FilterOnField1

When selecting a column to search from the drop down it will now auto search to find your text as you type. This makes finding the column you want much faster!

ColumnAutoComplete1

You now select the Columns you want to be exported in the Export window. I know this is a long time coming.

ExportProfile1

Other stuff includes:

-fix status bar on hex and binary strings screens.
-culling columns is now optional
-fixed email mapping for message last modified time
-added check for path's longer than 255 when selecting case path
-"select all" added to grid
-misc bug fixe

There is more but I’m tired of screenshots. I hope you enjoy this release and use the product. Look forward to feedback!

You can Download MetaDiver 2.5.0.

Enjoy!


by Dave via EasyMetaData

Monday, April 18, 2016

Turn #PowerShell into #EXE

Putting together EXE’s has become common practice to simplify script deployments and satisfy dependencies on client systems no matter what the programming language be it perl, python or.NET code. Packing dependencies for the script into native code you don’t have to worry about pesky dependencies. Now there is a tool to turn PowerShell scripts from EXE’s utilizing WinRAR’s self extracting executable capabilities.

The tool description is from TechNet:

“Here is a little tool in Powershell which allow you to create an EXE from your Powershell script.A self-extracting archive with Winrar will be created and your PS1 script or GUI will be launched automatically after running the exe file. “

The disclaimer is that it’s not actually native code. What’s happening is the tool is that it’s creating a self extracting sfx archive through WinRAR. When a user runs the exe you created, lets say “dosomething.exe”the self extracting rar extracts the powershell script and runs it. There are multiple reasons to do this, the most obvious is to simplify the process for users that will be confused when asked to run a powershell script. The other is that you can deploy other dependencies with the powershell script such as configuration files, .NET assemblies that the script may call as well as applying other settings that may be necessary for the script to do it’s job.

The tool is called “PS1 To EXE Generator” and can be found on the TechNet website from the link below.

http://ift.tt/26aD2Z5

Enjoy!


by Dave via EasyMetaData

Friday, March 25, 2016

Detectoutlook.net to find bitness

Introducing a simple console app to find the outlook bitness and version information. Works with oem and office365 installs.

You can get the source from my GitHub page at http://ift.tt/1LNrhRB

Enjoy!


by Dave via EasyMetaData

Saturday, March 12, 2016

Lets say someone hacked your accounts

Inevitably someone is going to have an online account hacked. Someone gets access to your email, cloud or phone using your information through various means. They could have done this because they want something or they just don’t like you, the list is long. Recently someone was in this exact situation and needed some advice. I put together some notes that I would likely follow in this situation to try to help this person out. These are just thoughts about steps I would try to resolve this situation… I make no guarantee’s that these steps will be enough!
Steps to consider (in no particular order)

-Security questions: You should make fake questions and fake answers for security challenges on for your online accounts. No one can guess something that isn’t part of your personal information.

-Should you contact the police: If you are concerned about fraud and are considering contact the police don’t expect them to solve the hacking. However, filing a police report is probably a good step for documentation if the bad guy begins identity and/or bank fraud. This way if you need to work with your bank to get money back you have the police report as documentation even though the police may not be able to do squat to stop this person. The hardest thing for people to realize is that their information is attainable online so a lot of “security questions”, your ssn and contact information are completely useless for protection against a motivated bad guy.

-iCloud/Play: Remove all of the authorized apple devices from apple account and reauthorize just the ones you need. Remember that iCloud replicates your text messages and calls across all of your authorized devices.
-If a device has been sold or stolen without being wiped then someone could be using information from that old device to get in to your account.
-If you are using iCloud to backup the phone and your account is compromised then this person may have access to your cloud backups by downloading them. So turn cloud backups off temporarily. Remember the hacked iCloud photos called “the flapping”? Photo’s weren’t the only thing stored in those celebrities iCloud accounts…
*http://ift.tt/1DIXcsy
-iCloud keychains: stop replicating to the cloud temporarily. You can turn this off from your phones iCloud settings.
-Cloud backups: You should turn off iCloud backup temporarily until the intruder has been stopped from accessing the account. Turning off iCloud backups is pretty easy. On the phone just go to Settings, iCloud, scroll down to “Backup” and turn it off. If worried about losing information from the phone in the event the phones dies or is lost you can backup using the  iTunes app on your own computer. This way the backup is local.  Keep in mind that you should only do this backup on a computer you feel is not compromised.
*http://ift.tt/1XlEwcw
*http://ift.tt/1CL0dbk
-Use secret accounts: Consider creating a new email account that only you know about on say outlook.com or yahoo.com and use that for logging into your apple devices for now.  You can then still setup iMessage to use your current email address but it wouldn’t be the email address that a person could get access to your cloud accounts with if they called support to social engineer access back in to your account.

-Two Factor protection:

-Enable the two factor authentication on everything that supports it so someone can’t just access your account with a password reset. They could be intercepting your text messages so temporary passwords via text messages aren’t enough. I suggest using an Authenticator app and possibly a U2F key. There are Authenticator apps for Apple, Microsoft and Google. They act like an RSA key fob that you get issued by banks and large companies and work by giving you a temporary numeric key that changes every 30 seconds.
*http://ift.tt/1TCIuOD
*http://ift.tt/13Jo2As

-Two factor (Apple): http://ift.tt/1TCIuOD

-Two factor (Google): http://ift.tt/1gggTer

-Two factor (Microsoft): http://ift.tt/12i63oc

-Two Factor Auth (U2F key) – An additional step is to also use a U2F key to authenticate with your password manager and even many websites like Dropbox and google allow the use of a U2F key in Google Chrome browser. Firefox is not yet supported.

-Two factor: make sure you changes his email passwords as well and sets up two factor authentication on those email accounts as described above.

-Banking: Get an RSA key fob. They are often free from your bank or broker. Also ask about other forms of two factor authentication. If they do not offer an RSA key ask what options are available. Also ask how they protect your account when someone calls them. Often the biggest security risk to your account is customer service.

Passwords:

-You should change the passwords for your cellular wireless carrier in case the bad guy is calling your wireless carrier to get access to your phone. Once again use fake questions and passwords and a secret pin if available. You should keep those security questions private. For now don’t keep them electronically on your devices or computers. Just keep them on piece of paper at home, not on the computer you suspect.

-Never* use your work computer or public computer to access any sensitive accounts in case it’s a coworker or hacker has gained access through your work systems. The same logic extends to public wifi. Don’t ever login to your accounts on a free wifi without a VPN to encrypt your wireless information. One VPN service is privateinternetaccess.com for your computer and phone, it’s around $40 a year. There are a lot of VPN service o ptions out there.

-Use a password manager.  I like Dashlane for simplicity, it costs $40 a year and works very well. this way every single website will have a separate password and you just use a master password to access your password manager. 1password is also very good and cheaper $12/year, but more complicated, it uses either iCloud or Dropbox to store the information. A free option that works very well but is not as easy to use and is not really multi-device is KeyPass password manager.

-Check the email addresses that are linked to your account. You should only have the ones you intend associated and no more. If you have addresses you don’t use or don’t recognize then remove them.

*Always have your computer up to date on security updates.

*For checking for malware on my computer i often use MalwareBytes, it is free for basic stuff.

*For virus scanning Windows Defender Offline is free and Microsoft provides a download to create a bootable thumb-drive you can use to boot into and scan for viruses and rootkits.

-Change your wifi password and router password but mostly the wifi password. if it’s an wifi device provided by your internet provider then you may have to call them. Make sure you have WPA2 enabled on your wireless router.
-If all else fails: If none of these steps have worked then someone may have a keylogger installed on his computer(s) and consider reinstalling them from scratch including the phones. that would be a phone reset. If still on XP then upgrade to windows 7 or 10, yesterday. If on Windows 7 consider upgrading to Windows 10. If on a Mac consider reinstalling after backing up important files to a hard drive/thumb-drive. If an old version of MacOS, upgrade.
Online vendor guides for hacked accounts

Look, I know this is a *lot* of information for the average person, but getting someone out of your systems can be a pain if they are motivated and know what they are doing. These are all steps I would consider in this situation and I do them regularly. A lot of this stuff may sound like overkill but it really isn’t anymore. The bad guys are really clever and the techniques are constantly evolving.

-Good luck

 

DISCLAIMER
MY THOUGHTS ARE MY OWN AND NOT THAT OF MY EMPLOYER. THERE IS NO GUARANTEE THAT THE STATEMENTS ABOVE WILL WORK. I PROVIDE NO EXPRESS OR IMPLIED WARRANTY.


by Dave via EasyMetaData