Tuesday, December 15, 2015

MetaDiver 2.4 is out! Tool for #metadata and #email review #dfir #infosec

I am pleased to announce that the latest version of MetaDiver (2.4.0) has been released.

In this release there are a lot of nice new features and improvements including a single download with outlook bitness detection, hex viewer, binary strings viewer (thanks to Eric Zimmerman’s excellent bstrings) and many more. The expiration date has been removed so it will no longer expire. You will notice the jump in versions since 2.2.1, this release is a cumulative release.

Website: MetaDiver homepage

## changelog (MetaDiver changelog)

v2.4.0
-added: copy cell contents in datagrid
-added: log window browse log folder
-added: update notification in status bar
-updated: bstrings to latest that can account for strings across sector boundaries
-added: when viewing tika strings of a email from a PST tika now shows just the selected message.
-fix: check for update bugfixes
-gui fixes and changes
-various bug fixes

v2.3.0
-Review: added Hex viewer
-Review: added binary strings viewer
-Review: added column filter by group
-Review: added open file and open file location
-removed expiration from MetaDiver
-email processing: updated dll's resolve outlook 2016 mapi bugs
-bugfixes
##

Send questions or issues to metadiver@easymetadata.com

Enjoy!
David

by Dave via EasyMetaData

Thursday, November 19, 2015

#MacOS #DiskUtil not logging erase action in #ElCapitan #dfir

I have been doing testing with MacOS 10.11, El Capitan. Specifically I wanted to see if erasing a disk or disk partition using DiskUtil would leave a DiskUtil.log as it did in previous versions of MacOS. So far I have been unable to cause a DiskUtil.log to get created. I have read that DiskUtil has been rewritten as an ‘overhaul‘ in El Capitan.

Questions

Has anyone experience the same lack of logging? Has the log been moved/combined with another log? If the logging has been moved, where is it now located?

If you have answers let me know!

-Dave


by Dave via EasyMetaData

Monday, September 21, 2015

MetaDiver – latest build update. New features, new look.

Version 2.2.1 has been released.

Summary

  • Support for TikaOnDotNet a .NET implementation of the Apache Tika framework using a .NET java runtime environment.
  • Support for ElasticSearch added.
  • Save case settings.
  • A lot of user interface improvements. I hope you agree!

Go get it!
Download MetaDiver


 

MetaDiver changelog

v2.2.1
-sqlite db handling improvements
-ui improvements
-bug fixes

v2.2.0
-New look and feel on main screen.
-Case Info added and persists.
-Case Settings cleaned up.
-various bugfixes and enhancements.

v2.1.9
-Elastic Search indexing added.
-Tika support added.
-Review window: Document Strings view using Tika.
-Tika instead of Shell for file metadata for other files (files without specific parsers).
-Tika now default for open office, .url, .exe and all misc types.
-Tika is now fallback for .msg, .eml and .emlx when outlook not installed or cdo not an option.
-Tika also gets used for other graphics/media files such as .tiff, .nef, .png and .gif, .mp3, .mp4, etc...

by Dave via EasyMetaData

Tuesday, August 18, 2015

MetaDiver 2.1.6 released

MetaDiver v2.1.6 has been released. This build fixes a bug in email mappings.

Download


by Dave via EasyMetaData.com

Thursday, August 13, 2015

MetaDiver 2.1 has been released #metadata #data #dfir #infosec

I’m excited to announce that MetaDiver 2.1 has been released! This is close to a full rewrite with better scalability. The ability to review metadata in MetaDiver has been greatly improved. The back-end has been rewritten to use SQLite. Many new documents are now handled including email archives,  Windows Shortcuts including lnk and jumplists, legacy doc 97 and archives.

Changes in 2.1

-Backend rewrite to SQLite
-Email header support added: MSG, PST, EML, EMLX.
-Email extended MAPI added – some extended mapi header information being added
-Legacy office doc’s ’97 support
-Windows Shortcut parsing LNK and Jumplists enumeration
-Archive enumeration (zip, 7z, arj, rar, gzip, bzip2, iso, vhd, vhdx, vmdk, cab)
-Command line version (basic functionality)
-Improvements to error handling when file permission denied (Users like to select the entire partition, click and forget…)
-large dataset support using paging.
-openxml office mapping bug fixes
-exif: bug fixes
-exif: user comments decoding hex added
-logging rewrite
-fixes for IO handling reparse and permission denied when reading full drive.
-Review form: panel’s are now sizeable
-Review form: column width’s are remembered
-Case path added
-UI improvements
-various bug fixes


by Dave via EasyMetaData.com

Thursday, July 30, 2015

Demystify Windows 10 – Tips, Tricks & Privacy?

So Windows 10 is out and I really like it so far. I’ve taken a few notes to help you on your journey. I’ll post more as I learn more.

1. You can defer upgrades and change how updates are installed to schedule a restart.

I’ve read multiple articles with the author complaining about updates being forced… This is not entirely the case.

To change the settings look under Settings -> Update & Security -> Windows Update – > Advanced Options. (Super easy). Change the selection for “Choose how updates are installed” to “Notify to schedule restart“.

Going forward Windows will be ask to schedule the next reboot instead of it happening automatically. This sounds very similar to Windows 7 and Server 2008 behavior.

2. Privacy – You should review these settings

Review your privacy settings because the default settings can send send a lot of information!

For example, Under Feedback & diagnostics take a look at Diagnotics and usage data. By default this is set to send a Full report. You can change this to Basic or Enhanced.

3. Speech, inking, & typing – if you read the description here it might raise hairs on your neck. My computer is going to listen to me and learn my writing?

If you aren’t cool with that turn it off. Sure sounds like what they are saying is statistics about me is going to the cloud to get analyzed for my own personal happy assistant. On the other my little digital assistant will eventually know me better than myself right?

4. You can send documents to different devices under Settings -> Storage

So say your C: drive is low on space you can set video’s to that extra drive while keeping pictures on your c: drive. Pretty cool feature.

5. Make text bigger (my favorite).

Scaling is much improved. Just go to Settings -> Display and you can just move the slider to the size you want your text to be. This is great for those of us with tired eyes and bad vision.

6. Sync Settings (are you sure???)

A really convenient feature introduced in Windows 8 and still going strong in Windows 10 is sync settings under Settings -> Accounts -> Sync your settings. It will sync your preferences, Windows settings, browser preferences and passwords.

@#@!#$%, what?, I’m hesitant to replicate what I do at home on another computer. Call me paranoid, but really, I’m not paranoid…I’m just informed. If you value your privacy then keep your settings, preferences and what you do on that PC at the PC and don’t sync them. The same goes for Chrome. If you log in to your browser you activity is going with you!

7. My Computer shows Recent files

I noticed was the replacement to My Computer shows Recent files you accessed automatically. This is really helpful to a user trying to remember the last few documents the had open before gorging at lunch and accidentally closing every program they had open when they got back to their desk after lunch.

For instigators it’s even more helpful. Sure, Recent files aren’t new but these MRU’s (most recent used) will be gold mines.


by Dave via EasyMetaData.com

Tuesday, June 23, 2015

MetaDiver: What’s coming in Alpha 3

The next alpha release of MetaDiver is coming together nicely.

Lots of new features in the works. Major new features being added. I’m still coding, plus better testing on various Windows environments before I put it out there for you to break further. I plan to post open source projects relied upon to github in accordance with individual license requirements and will be acknowledged and linked from the app. Some features will eventually be migrated to a paid version once I have time to do all of that.  For now though enjoy the free candy.

New features coming with v2.0.2 Alpha 3:

  • Email support – read headers (MSG, PST, EML) – including extended mapi goodies
  • Email – export to file (MSG or EML)
  • Windows shortcut parsing LNK and Jumplists
  • Legacy office doc’s ’97-2003 support added
  • Archive file enumeration (zip, 7z, arj, rar, gzip, bzip2, iso, vhd, vhdx, vmdk, cab)
  • Column width’s are remembered using sqlite settings database
  • Review form: panel’s are now sizeable
  • Transition to SQLite backend
  • Improvements to error handling when file permission denied (Users like to select the entire partition, click and forget…)
  • OpenXml document mapping bug fixes
  • DPI scaling improvements
  • Datagrid large dataset support for reviewing large amounts of information!
  • Various bug fixes and UI improvements
  • Other stuff I have forgotten

-Dave

If you have thoughts about MetaDiver you think would add value then please let me know! You can contact me on Twitter via direct message or just comment on this post.


by Dave via EasyMetaData.com

Github: My open source projects are being added

Github account created with open source projects being added.

http://ift.tt/1JhFL9M

 


by Dave via EasyMetaData.com

Friday, June 5, 2015

MetaDiver 2.0 Alpha2 released #dfir #ediscovery

The MetaDiver 2.0 Alpha2 has been released and available for download.

http://ift.tt/1Ke2KRX

  • Resolved crash on Windows Server 2008 due to VisualBasic PowerPack not installed with .Net on servers.
  • Various minor bug fixes and UI changes.

by Dave via EasyMetaData.com

Wednesday, May 20, 2015

Improving Windows External Device Investigations [updated] slides posted from #CEICCONF #DFIR

My slides for the talk I gave at CEIC 2015 on Improving Windows External Device Investigations have been uploaded. You can download them below.

Download: Slides for Improving Windows External Device Investigations


by Dave via EasyMetaData.com

Friday, May 15, 2015

Excited to be speaking on Improving Windows External Device Investigations at #CEICCONF next week #DFIR

Excited to be speaking on Improving Windows External Device Investigations at #CEICCONF next week. It’s almost time to talk digital forensics!


by Dave via EasyMetaData.com

Wednesday, March 4, 2015

MetaDiver 2.0 alpha – available for download!

MetaDiver 2.0 alpha is now available for download!


This is the first build after a major rewrite. I think you will like what you see but be sure to provide feedback on bugs so I can squash them!


Download the build: http://ift.tt/1BFPceC


Review changelog: http://ift.tt/1Ekt0H6


I hope you enjoy the MetaDiver! If you have feedback, positive comments, requests please leave them on the MetaDiver forum. Thanks!




by Dave via EasyMetaData.com

Wednesday, February 25, 2015

Disk Access in Python with libtsk (by HECF Blog)

If you have ever been looking for a way to access your computer disk without having to deal with user permissions and constrains the operating system enforces then this is the series to read.


David Cowen is working on an excellent series called “Automating DFIR” (Digital Forensics Incident Response) on his blog “Hacking Exposed Computer Forensics Blog”. The guide takes you step by step to from installing the dependencies to writing the Python code to access partitions and forensic images using an open source library called libtsk (The Sleuth Kit library). The libtsk library is cross platform meaning you an write code to access Windows, Linux and Mac systems using a fairly intuitive and consistent syntax. You won’t have any limitations on accessing special files as well. The big drawback to using this library has been the lack of documentation. With his blog series the is trying to get the word out with some practical examples for those in the community that are not yet aware or just don’t know where to start! My hope is that better information helps to expand the user base beyond just Forensics and Incident response because it can be applied to other industries in tech.


You can get started reading Part 1 of a 40 part series at the link below:


http://ift.tt/1LgGx2Y


Enjoy!




by Dave via EasyMetaData.com