Pages

Tuesday, August 6, 2013

Daily Blog #43: Sunday Funday Winner 8/5/13

Hello Reader,
      Another Sunday Funday is behind us and some more great answers were given, thanks to everyone who submitted on Google+ and anonymously! I've learned from this week challenge that I need to be a bit more specific to help for more focused answers, I'll make sure to do that for next weeks challenge. This week Eric Zimmerman turned in a great answer sharing the win with Jake Williams.

Here was the challenge:
The Challenge:     SInce we are giving away a copy of Triage, lets have a question related to manually triaging a system.
For a Windows XP system:
You have arrived onsite to a third party company that is producing a product for your company. It is believed that one of the employees of the company has ex-filtrated the database of your customers information your provided for mailing and processing sometime in the last 30 days, While the third party company is cooperating with the investigation they will not allow you image every system and take the images back to your lab. However, they will allow you to extract forensic artifacts to determine if there is evidence of ex-filtration present and will then allow a forensic image to be created and taken offsite.
With only forensic artifacts available and a 32gb thumbdrive what artifacts would you target to gather the information you would need to prove ex-filtration?

Here is Eric Zimmerman's winning answer:
Since this is a triage question, the goals are to get as much info in as short a time frame as possible. the idea is to cast as wide a net into a computers data as possible and intelligently look at that data for indicators of badness.
i am not going to include every key, subkey, querying lastwrite times/value and how to decode things from the registry or otherwise mundane details. these steps should be automated as much as possible for consistency and efficiency anyways.
the first thing i would do is interview management at the company to find out what kind of usage policies they have: are employees allowed to install whatever software they want? any access controls? who has rights to where? What kind of database was my customers stored in? who has rights to that database? and so on
i would also ask management who their competitors are and then locate their web sites, domain names, etc.
once i had the basic info i would assemble a list of relevant keywords (competitor names, relevant file extensions, etc). i would also look specifically for tools that can be used to connect to the database server and interact with it. this of course changes depending on which database it is (mysql i may look for putty or other terminal programs, oracle = the oracle client, sql server = that client, LinqPad, etc.)
with that basic info in hand i would triage each computer follows:
1. collect basic system information such as when windows was installed, last booted etc.
2. check running processes for things like cloud storage (dropbox, skydrive, teamviewer, other remote access tools)
3. look for any out of the ordinary file shares on the computer that can be used to access the computer from elsewhere on the network
4. check MRU keys for network shares, both mapped and accessed via command line
5. dump DNS cache and compare against keyword lists
6. dump open ports and compare against a list of processes of interest.
are any remote access tools running? file sharing?
7. Look to see what data, if any, is present on the clipboard. are there any suspicious email addresses or the text of an email or other document? what about a file or a list of files?
8. unpack all prefetch files and see what applications have been executed recently (certainly within the last 30 days, but expand as necessary). again we key in on processes of interest, etc
9. look at all the installed applications on a computer and specifically those installed within the last 30 days
10. dump a list of every USB device ever connected to the machine including make, model and serial #. also reference, when available, the  last inserted date of the device. cross reference this list with any issued thumb drives the company provided from interviews. make a note of any drive letters devices were last mounted to. also process and cross reference setupapi.log for devices connected within the last 30 days.
11. dump web browser history for IE, FireFox, Chrome, and Safari and look for keywords, competitor URLs, etc. hone in on last 30 days, but look for keywords thru entire history in case things were initiated previous to the data being exfil'ed. look for hits against cloud storage, VNC, and similar.
12. dump web browser search history including google, yahoo, youtube, twitter, social networks, etc and again filter by last 30 days with keyword hits across all date ranges. Also look for references to file activity such as file:///D:/somePath, etc.
13. dump passwords for browsers (all of them), mail clients, remote access tools, network passwords (RDP, etc). are any webmail addresses saved by the browsers?
14. dump keys from registry including CIDSizeMRU, FirstFolder, LastVisitedMIDMRU, LastVisitedMIDMRULegacy, MUICache, OpenSavePidlMRU, RDP sessions, RecentDocs, TypedPaths, TypedURLs, UserAssist, appcompatcache and of course ShellBags. all of these keys should be checked for keyword hits as before. specifically, look for any USB
15. Look for instant messaging programs and chat history for skype to include who they are talking to, if any files were xfered, and so on.
16. look for any p2p programs that could have been used to xfil data.
17. search the file systems for such things as archives, shortcut files (lnk), evidence eliminator type programs, drive and file wiping programs, etc. cross reference any lnk files with paths used by USB devices and shellbags to get an idea of what kinds of files were kept on any externally connected devices. look inside any archives found (zip, rar, tar, 7zip, etc) for any keywords of interest (like a text file containing my customers). filter based on MAC dates for files and of course look for keyword hits.
18. look at event logs for relevant entries (what is relevant would be determined by how the computers are configured. what kind of auditing is enabled by the network admins, etc). things like remote access and logins, program execution, etc would be key here.
19. time permitting, and based upon the results from above, use a specialized tool to unpack restore points and look for files as outlined above (lnk files, programs installed, etc)
20. look in the recycle bin for files (hey, ive worked plenty of cases where the incriminating evidence was in there!)
21. dump ram and run a quick "strings" against the binary, then look for keywords. going crazy with volatility is beyond triage, so this will suffice.
depending on where the database lives i would triage that system in the same way (if windows based) but if its mysql on linux or something i would review bash history files, sign ins, FTP logs, etc for signs of data being ex-filed. i would look at the database log files for logins and, if available, sql statements executed, errors, etc from the last 30 days.
finally i would ask about and review any web proxy logs or other logging systems the company has to look for suspicious activity.
all of this data would be automatically added to a timeline that could then be used to further narrow in on interesting periods of activity on each system.
with all the data collected i would want to start looking for default export names or extensions, keyword hits, and whatnot. the machines that have more indicators would go up on my list of machines to want to image. machines with little to no indicators would be removed from consideration.
ShellBags are going to be a key artifact in this case because they contain sooo much good data on Win XP. what other files were on any external devices connected to the systems? do i see the presence of "hacking" tools, ftp clients, putty, etc? are there folders or files indicative of my data or any of my competitors?
32GB is more than enough space to triage all the computers found at the business as there isnt a ton of need to copy files off the computer.
now all those steps are a heck of a lot to do manually (and several of them would be near impossible to do by hand), so in my case i would just run osTriage on each computer and it would pull all that info (and more) in a few seconds. add a bit of time to review the results and i would know which machines i wanted to image for a more thorough review.
with that info in hand i would most likely already know who exfi'led the data, but i would still request an image be made of each machine where suspicious activity was found.
(all of those steps could be further unpacked, but since this is a triage based funday question my response is kept in true triage style, fast and just enough of a deep dive to hone in on computers of interest).

However, Special Agent Zimmerman cannot accept the prize. So Jake Williams hard work in his winning answer seen below wins the prize of a year license of AccessData Triage:
 
What artifacts would you look for across multiple Windows XP machine with only a 32GB USB drive to hold them all?
So we think that an evil user exfiltrated a database we provided to the business partner.  Because of the verbiage, we’re working under the assumption here that they were provided with an actual database file (.mdb).
Great. That probably wasn’t bright. In the future, we should NOT provide the business partner the database file and rather provide secure and AUDITABLE access to the data.  This seems like a good idea. There are other issues here, such as revocation of access and even keeping the current data picture (including opt outs for example) that further reinforce why this is better than a file. So we should definitely provide auditable access to the DB in the future, not a database file.
For this writeup, I’ll focus on evidence of execution, evidence of access, and then touch on potential evidence of exfiltration.  Here’s why: under the best of circumstances, we can have a hard time finding evidence of exfiltration. But these aren’t the best of circumstances. 
1. We have no information about how the partner may have exfiltrated the data.  
2. We have limited space in which to collect our data for further probable cause.
We’re really looking for suspicious activity on the machines that will open the door to full images for a complete investigation.  For that reason, we have to keep the scope small and limit it to that which will cover the most ground.
Evidence of execution:
So the first thing I want is access to prefetch files on all the machines.  This is my first stop.  If the user exfiltrated the database AND we have a DLP solution in place, they may need to encrypt the file first. I’d want to look for rar.exe, winzip.exe, or 7z.exe to look for evidence of execution of those utilities. Also, we’re looking for evidence of execution of any anti-forensics tools (commonly used when users are doing illegal stuff).  As a side note here, I’ve performed forensic investigations where I’ve found stuff like wce.exe or other “hacking tools” in prefetch.  In at least one particular case, this discovery was not part of the investigation specifically.  However, the fact that we highlighted it bought us a lot of good will with the client (since this was an indicator of a compromise or an AUP violation).
We’d want to know if the users used any cloud services that aren’t explicitly allowed by policy. For example, Dropbox, SkyDrive, GoogleDrive, etc. would be interesting finds.  While use of these services doesn’t necessarily imply evil, they can be used to exfil files.  Evidence of execution for any of these services would provide probable cause to get the logs from the devices.  For those who don’t know, this is a real passion of mine.  I did a talk at the SANS DFIR Summit looking at detecting data exfiltration in cloud file sharind services and the bottom line is that it isn’t easy. Because of the complexity, I expect criminals to use it more.  Those logs can contain a lot of information, but grabbing all logs in all possible user application directories might be too broad (especially given the 32gb USB drive limitation).  We’ll just start small with Prefetch. 
I’d also want to get uninstall registry keys (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall). My thoughts here are that 32GB is so little data for an enterprise that I’d be looking for evidence of programs installed that may have been used to read the data from the database or exfiltrate the data.  Again, this is so little data that we can store it easily.
UserAssist registry keys from all users would also be on my shopping list.  If the company uses a domain (and honestly what business doesn’t) this will be easier if roaming profiles are enabled.  We want to pull from these two keys for windows XP:
▪ HKEY_USERS\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\
▪ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\
Where GUIDs are usually {75048700-EF1F-11D0-9888-006097DEACF9} or {5E6AB780-7743-11CF-A12B-00AA004AE837}
 Again, I’m focusing on evidence of execution because space is tight. These entries won’t cover everything that was executed, generally it only includes items opened via Explorer.exe (double click).  Also, the entries are ROT13 encoded, but that’s easily overcome. Because it is possible that users deleted data, we might also want to grab UserAssist from NTUSER.DAT files in restore points.  This might be pushing the limit of my storage depending on how many machines our target has to triage (and how many Restore Points they each have).
Evidence of Access:
In this category, I’d be looking at MRU keys for Access.  Now these change with the version of MS Office, but a good starting point is to look in these subkeys in the user’s profile (where X.X is the version):
• Software\Microsoft\Office\X.X\Common\Open Find\Microsoft Access\Settings\Open\File Name MRU
• Software\Microsoft\Office\X.X\Common\Open Find\Microsoft Access\Settings\File New Database\File Name MRU
• Software\Microsoft\Office\X.X\Access\Settings
Locating our filename doesn’t prove anything, presumably we gave it to them to open, but it gives us a start.
If we know that the file was placed on a network share with auditing enabled, we want to identify who had access to that share using the records in the Security event log.  If auditing wasn’t enabled, we may still be able to find evidence of failed logon attempts to the share in the event logs on the file server.  Successful connections to the share may be found be in the MountPoints2 (Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2) key so we want to grab that from user’s profiles.  Of course, it goes without saying that just because someone mapped a share doesn’t mean they even read our file (let alone exfiltrated it).
Event logs:
Depending on the event logs available, we may be able to tell if a user has accessed the database via an ODBC connector.  Usually users just open an Access file, but they could add it as an ODBC data source.  I don’t have my systems available here at DEFCON to do testing, but if the file was added as an ODBC source, there should be some remnants left over to locate.  But often there will show up in event logs. We want to check event logs for our database file name.
Possible Evidence of Exfiltration:
Firewall logs are another item I’d collect.  Yes, I know some people will laugh at me here, but we are looking for data exfiltration and that may have happened over the network.  If we have some idea of where the data was exfiltrated to, firewall logs, if enabled, are a useful source of information.  Fortunately for our case with only a 32GB USB drive for the whole network, the logs capped at 4M by default.  This allows us to collect a lot of them without taking up lots of space.  We could get logs from 100 machines and only consume 4GB of our space.
Setupapi.log is another file I’d like to collect.  This log shows first insertion time for USB devices (a common exfiltration point).  While this log can’t tell us if a file was copied to a USB, analyzing setupapi.log files over an enterprise can show patterns of USB use (or misuse).  Correlating that with information with their security policy may yield some suspicious behavior that may be probable cause for further forensic images.
If there are other logs (from an endpoint protection suite) that log connections, I’d want to see if I could pull those as well.  While we’re at it, we’d want to filter event logs (particularly application event logs) for detection notices from the AV software.  What we are looking for here is to determine if any of the machines in scope have had infections since we turned over our database file.  We can filter by the log provider and we probably want to eliminate startup, shutdown, and update messages for the AV software.
If I had more space, I’d grab index.dat files from profile directories.  Depending on the number of systems and profiles, we’d probably run out of space pretty quickly though.  What we’re looking for here are applications that may use WinInet APIs and inadvertently cache information in index.dat files.  This happens sometimes in malware and certainly data exfiltration applications might also fit the bill.  However, my spidey-sense tells me that these index.dat files alone from many profiles/machines could exhaust my 32GB of space.
Parting thoughts:
Forensics where we rely on minimal information is a pain.  You have to adapt your techniques and triage large numbers of machines while collecting minimal data (32GB in this case).  I’d like to do more disk forensics and build timelines. I might even use the NTFS triforce tool.  If this were a single machine we were performing triage on, then my answer would certainly involve pulling the $USNJrnl, $LogFile, and $MFT files to start building timelines. The SYSTEM, SOFTWARE, and NTUSER.DAT hives on the machine would also be on my short shopping list.  However, over the multiple machine I believe the scenario covers, this just isn’t feasible in the space we’ve been given.

I'll follow up this contest with how I approached this case in real life in a later blog post. I will say that in my case the first thing I did was triage which systems showed access to the database itself to create a pool of possible ex-filtraters. Then I went back and started pulling the data discussed in our two winning answers! From there I was able to discover enough suspicious activity and patterns of access to the underlying data through the userassist, shellbags and lnk files to get approval to create a forensic image.

Tomorrow we continue the web 2.0 forensics series as I look to see when I should stop and move on and then come back to it later with other services besides Gmail.

Sunday, August 4, 2013

These Four Fell This Week - Teardowns

They aren't tearing them all down but there's a boom. Styles have changed. We're mostly getting efficient 4,000+ square foot American Foursquares with a full width porch and 2-car garage. We'll see what we get on these lots.

 
This is now.

IMG_2725-2013-07-28-1336-LANIER-blvd-teardown-before
The week before. The houses to left and right have already been done. Who remembers the cute houses that they replaced?

IMG_2816-2013-07-01-Teardown-demolition-3130-Lanier-Drive-at-Windsor-Parkway-near-Oglethorpe
They tore it down this very day August 1, 2013. I blogged it a year ago when it first went on the market. Great lot in great neighborhood near Oglethorpe, doomed.

IMG_2638-2013-07-25-1126-Spring-Valley-Teardown-before
Gone by noon.

IMG_1901-2013-07-09--1328-Greenland-Teardown-in-context-hill-detail
This is one of  those streets with smallish, un-updated 70+ year old houses on big lots in Morningside. Many were done pre-crash.

2013-08-03-1147-ORME-CIR-teardown-before-3
This one hurt a little bit. Property tax records say 1910 with about 1,200 square feet. It was photogenic but quite so charming in person. I passed it 100's of times and only noticed the sculpture.

July Favourites!

I rounded up my top 5 favourite beauty products throughout the month of July and filmed exactly why I loved them, which you can watch below!

JULY FAVOURTIES

Urban Decay Revolutionize Lipstick in Streak � This (along with MAC�s limited edition Sushi Kiss lippie) has been my most used lipstick throughout the month of July.  It�s the most luxurious, peachy pink lipstick which really suits my pale complexion.  I am wearing this in the video above and it is just beautiful.  Props to Urban Decay for creating this beauty!

Clarins Instant Light Lip Perfector in 02 � A second lip product here, and this time it�s one of the much loved & spoken about Clarins Lip Perfectors.  I recently got my hands on this and it hasn�t left my makeup bag since.  It�s a caramel-scented light, non-sticky lipgloss which just adds the nicest sheen to my pout.  I could sniff this all day.

Cover FX Total Cover Pressed Powder � July has been all about matte skin for me; it was a ridiculously hot and humid month which means that my face looked pretty much permanently oily, so used a pressed powder was a daily (and hourly) occurance.  I love this pressed powder for its buildable coverage and pale shade which doesn�t leave me looking orange at all.

Skin Doctors Hair No More � I�ll admit now I�m super lazy in the hair department.  I�ve never had a wax (shock-horror) and try and get away with shaving as less as I can (not painting a great picture of myself, am I, ha!).  Well, I�ve been using this beauty in July and I have already started seeing a slight difference.  It�s a hair inhibitor spray which helps to minimise the growth of hair.  It can be used all over but I�ve started off using it just on my legs, just spritz it on and massage it in a couple of times a week and you should start seeing a difference after a couple of weeks.  I am adamant to keep this up and use it religiously this summer!

Sleek Ink Pot Gel Eyeliner in Dominatrix � I�ve scrimped on eyeshadow in July and just focused on eyeliner to give me that big-eyed look and this has been my gel liner of choice!  This is ridiculously affordable, at around �5 including a brush, and is a fantastic quality giving me the most perfect, matte black winged liner look.  This is my third pot of this is my third pot of this stuff (I�ve been using it for a couple of years now) and favour it over any other high-end gel liner.  Try it out!

Extras
Favourite Band: Little Comets � I have been absolutely obsessed with Little Comets throughout the entire month and still can�t stop listening to their songs.  My favourites of theirs are: In Blue Music We Trust, Figures, Little Opus, Isles� and ALL the others.  I really urge you to give them a listen and I hope I get to see them live soon.

Books: I read two books this month; The End of Alice by A.M Holmes and Lolita by Vladimirovich Nabokov.  Both are based around the same (disturbing) topic and both have been interesting (?) to read.  I wouldn�t necersarily recommend them as they aren�t nice books but I thought they are both well written.  I�m definitely going to read a happy book next!

Lovebox Festival: I went to Lovebox with some of my favourite people a couple of weekends ago and had the best time.  I have a post coming up about it shortly!

Filming with DailyMix: I was super lucky to film with Tanya Burr on Dailymix in July � we had a great little chat about highstreet/highend makeup dupes!  I really can�t wait for the video to go live, I�ll let you know as soon as it does!

What have been your favourite products throughout the month of July?  Anymore books to recommend me (happy ones)?

xxxx

Daily Blog #42: Sunday Funday 8/4/13

Hello Reader,
           It's that time again, Sunday Funday time! For those not familiar every Sunday I throw down the forensic gauntlet by asking a tough question. To the winner go the accolades of their peers and prizes hopefully worth the time they put into their answer. This week we have quite the prize from our friends at AccessData. 

The Prize:
The Rules:
  1. You must post your answer before Midnight PST (GMT -7)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
     SInce we are giving away a copy of Triage, lets have a question related to manually triaging a system.

For a Windows XP system:

You have arrived onsite to a third party company that is producing a product for your company. It is believed that one of the employees of the company has ex-filtrated the database of your customers information your provided for mailing and processing sometime in the last 30 days, While the third party company is cooperating with the investigation they will not allow you image every system and take the images back to your lab. However, they will allow you to extract forensic artifacts to determine if there is evidence of ex-filtration present and will then allow a forensic image to be created and taken offsite. 

With only forensic artifacts available and a 32gb thumbdrive what artifacts would you target to gather the information you would need to prove ex-filtration?

Good luck! I look forward to your answers. 

Saturday, August 3, 2013

Battery Care is the best software to save and monitor Laptop's battery

Battery care is one of the best softwares which are created to save and monitor Laptop's battery.
Moreover, it also enhances the performane of your Laptop. It also shows the time left to be used and also shows  your battery power.
So download this best and all in one Battery care software now to increase your Laptop's battery timing.

 

 
 

Daily Blog #41: Saturday Reading 8/3/13

Hello Reader,
           It's Saturday and after a long week of working, heck you might be in the office working right now, its time to let the disks image, the indexes run and the hashes hash while you sip some coffee and do some forensic reading.

1. If you haven't watched/listen to it already we had a pretty great Forensic Lunch yesterday, you can watch it here http://www.youtube.com/watch?v=UG8ZZM7S5nk. This week we talked about HTML5 offline caching in gmail with Blazer Catzen, the life of an internal corporate forensics person with Brandon Foley, Shadow Kit with David Dym and updates to some OSX forensics and the Triforce. Give it a watch and next week you can watch us live and participate here Google+ Event.

2. Speaking of Blazer Catzen he had a great presentation at Techno Forensics on file system tunneling. He said we could upload and share the slides from his presentation and you can download it here: click here for the zip of the presentation and reference spreadsheets

3. In the Forensic Lunch I talked about an article from a couple years ago describing the offline gmail storage we were talking about and the risks to the user, you can read it here http://geeknizer.com/pros-cons-of-html-5-local-database-storage-and-future-of-web-apps/

4. I'm a big fan of WinFE and over on the WinFE blog they had a good write up on getting WinFE to build with Autopsy 3. If you are looking for a free and open source portable toolkit thats still windows based read about how to get it all together, http://winfe.wordpress.com/2013/07/15/more-on-winfe-and-autopsy/.

5. We talked about Shadow Kit this week so here's a link to read more about it and grab a copy, http://redrocktx.blogspot.com/p/shadowkit.html. You should then read this post, http://redrocktx.blogspot.com/2012/04/shadowkit-working-with-disk-images.html, which is a great write up on how to get your forensic image into a vhd format so Windows will treat it as a physical local device rather than as a network attached device as it does with FTK Imager and other mounting technqiues.

6. If you are working with Windows 8 or Windows Server 2012 then you'll be happy to read the latest SANS blog entry by Chad Tilbury pointing out which tools now support their memory structures, you can read it here: http://computer-forensics.sans.org/blog/2013/07/30/windows-8-server-2012-memory-forensics.

7. A new blog I found and has just been updated this week is from French expert Zythron. He has a humorous yet factual writeup of a case he worked on and his process and approach, http://zythom-en.blogspot.com/2013/07/filling-up-on-pr0n.html.

Thats what I have for you this week, have an article or blog that you think I'm missing? Leave a comment and leave a link, I'm always trying to learn more and find more researchers who are sharing their data. 

Daily Blog #40: Web 2.0 Forensic Part 5

Hello Reader,
                    In the past posts in this series we've focused on what you can recover from web 2.0 sites, how data sits on the disk and how data is transmitted across the network. In this post we talk about what these messages fields mean and how to build a quick carver for them. Tomorrow is Saturday Reading and I will be including a link to today's Forensic Lunch cast which i think was the best so far!

Mail folder summary view versus Mail folder full view:
What I noticed in viewing the data as it went across the network is that there are two distinct types of data streams being sent, at least to chrome. The first being the page of the mailbox you requested which contains the message summaries as well as the message contents themselves. The second being additional pages of the mail folder being viewed where only the message summaries are being sent and cached for faster loading to the user.

The full view is the first page sent and contains data in two sections, the first is the message summary for example here is a message summary for my daily win4n6 mailing list digest:

,["cs","140395ee6229f7d4","140395ee6229f7d4",1,,,1375366638336000,"140395ee6229f7d4",["140395ee6229f7d4"]
,[]
,[]
,[["140395ee6229f7d4",["^all","^i","^smartlabel_group","^unsub"]
]
]
,,,[]
,[["","win4n6@yahoogroups.com"]
,["No Reply","notify-dg-win4n6@yahoogroups.com"]
]
,,,[]
,[]
,,,"Digest Number 1388","[win4n6] Digest Number 1388"]
,

Each section of the inbox view with full messages starts with ["cs" which i'm guessing to mean 'content start' and ends with ,["ce"] as shown below. 
]
,0]
,["ce"]
So we can recover full messages with a regex as simple as 
(\["cs",.+\["ce"\]) 

However this is a greedy expression and may capture multiple messages within it.

Other fields of interest in the header include the message number internally assigned by gmail this can be seen as "140395ee6229f7d4", the message sender "win4n6@yahoogroups.com" and subject ""[win4n6] Digest Number 1388"". 

When the content of the message begins you will see ["ms" which again I can only assume is short for message start as seen below:

["ms","140395ee6229f7d4","",4,"win4n6@yahoogroups.com","","win4n6@yahoogroups.com",1375352053000,"There are 5 messages in this issue. Topics in this digest: 1a. Re: TightVNC F...",["^all","^i","^smartlabel_group","^unsub"]
,0,1,"[win4n6] Digest Number 1388",["140395ee6229f7d4",["win4n6@yahoogroups.com"]
,[]
,[]
If this a mail folder summary view (which I've seen for pages preloaded after the first) this would be the end of content cached and retrievable. If this is the first page of the mail folder then it will be followed with the text of the message itself

,["No Reply \u003cnotify-dg-win4n6@yahoogroups.com\u003e"]
,"[win4n6] Digest Number 1388","There are 5 messages in this issue.\... Huge message digest here removed for readability\n",[[]
,[0]
,"",[]
]
,0,[[]
,[["win4n6","win4n6@yahoogroups.com"]
]
,[]
,[]
,[]
,[]
]
,"Thu, Aug 1, 2013 at 5:14 AM",[]
,1,0,0,0,1,"returns.groups.yahoo.com","yahoogroups.com","","\u003c1375352053.298.19336.m7@yahoogroups.com\u003e","[win4n6] Digest Number 1388","\u003cwin4n6.yahoogroups.com\u003e",,[0]
,,[]
,,0,[0]
,-1,,,[]
,[]
,0,0,1,0,0,,,[]
,,5314,-1]
,,0,"5:14 AM","5:14 am",0,,,"",["en"]
,0,"Thu, Aug 1, 2013 at 5:14 AM",[]
,,,,0,,"win4n6.yahoogroups.com",,0,1,"","win4n6@yahoogroups.com",[[]
,[["win4n6","win4n6@yahoogroups.com"]
]
,[]
,[]
,[]
,[]
]
,-1,,,,"yahoogroups.com",,[]
,[[[2013,7,31,5,37,,0,0]
,,"Wed Jul 31, 2013 5:37 am",0,0,0,0]
,[[2013,7,31,10,6,,0,0]
,,"Wed Jul 31, 2013 10:06 am",0,0,0,1]
,[[2013,7,31,8,28,,0,0]
,,"Wed Jul 31, 2013 8:28 am",0,0,0,3]
,[[2013,7,31,8,42,,0,0]
,,"Wed Jul 31, 2013 8:42 am",0,0,0,4]
,[[2013,7,31,8,50,,0,0]
,,"Wed Jul 31, 2013 8:50 am",0,0,0,6]
]
,0]
,["ce"]
You'll notice there is no matching message end (me) to the message start (ms) as we saw in the cs and ce pairing earlier. Instead the message ends with some index data about the messages in the thread related to this message so it can display them easily and finished with "ce"] again.

For each message retrieved from gmail you'll find these pairings. On Tuesday I'll dig into the javascript that interprets this data to see if we can find more data points for analysis. Until then happy hunting for gmail fragments and I hope you stick around for tomorrow's Saturday reading and Sunday Funday!

Friday, August 2, 2013

Forensic Lunch 8/2/13

Hi there Reader,
           Just a reminder that in an hour we will be doing a Forensic Lunch broadcast.

To watch live and ask questions go here:
http://ow.ly/nzLd4

I'll update the event to a link to the broadcast.

If you can't make it, don't worry! I'll have a recording up after the event ends on our Youtube channel here:
http://www.youtube.com/user/LearnForensics

Hope to see you there!

Download AVG Free Edition 2013.0.3392 Final Update Terbaru Agustus 2013

AVG Antivirus Logo
Inilah Software Antivirus terbaru Download AVG Free Edition 2013.0.3392 32-bit/64-bit. Download AVG new update Versi terbaru 2013 Gratis Offline Installer. AVG AntiVirus Free Edition adalah Antivirus yang mampu memberikan perlindungan dari serangan virus dan spyware untuk sistem operasi Windows.

AVG telah meluncurkan versi AVG Antivirus Free Editio update versi terbaru, yaitu AVG Free Edition 2013.0.3392 untuk dapat di download secara gratis. Selain itu ada penambahan fitur terbaru yaitu LinkScanner ® Active Surf-Shield untuk mengecek halaman web apakan halaman tersebut aman atau tidak bila Anda mengklik link tersebut.

Kecepatan AVG Antivirus dalam mendeteksi ancaman Virus berbahaya yang berjalan pada komputer anda menjadikan AVG sebagai salah satu antivirus yang dapat kita andalkan dalam keamanan komputer kita. Tampilannya yang sangat user friendly membuat kita mudah untuk mengoprasikan antivirus ini, terbukti dengan lebih dari 80 Juta pengguna AVG Antivirus ini.

Screenshot :
AVG Free Edition 2013.0.2890 (32-bit) - AVG Terbaru 2013


AVG Anti-Virus Free memiliki fitur berikut ini:
  • Pemenang penghargaan antivirus dan antispyware
  • Real-time aman surfing internet dan menelusuri
  • Kualitas dibuktikan oleh 80 juta pengguna
  • Mudah untuk men-download, menginstal dan menggunakan
  • Perlindungan terhadap virus dan spyware
  • Kompatibel dengan Windows 7, Windows Vista dan Windows XP
Download from Filehippo :
Semoga bermanfaat ^_^

Free Download Google Chrome 28.0.1500.95 Final Update Terbaru

Google Chrome
Free Download Google Chrome 28.0.1500.95 Offline Installer - New Update Gratis Google Chrome Final Version Update Terbaru 2013 - Kini Google Chrome Final telah diperbarui ke versi Final Google Chrome 28.0.1500.95, yang saat ini tersedia untuk semua platform yang didukung (Windows, Mac, Linux, dan Chrome Frame).

Google Chrome adalah browser yang dirancang dengan desain minimal namun memiliki teknologi yang sangat canggih untuk membuat web lebih cepat, lebih aman, dan lebih mudah.

Google Chrome memiliki Antarmuka yang bersih dan menyenangkan, tetapi tidak hanya itu, kita juga dapat dengan mudah untuk menerapkan tema, sehingga setiap orang dapat memilih sesuai dengan selera mereka sendiri. Antarmuka didesain sangat minimalis yang hanya dengan address bar yang menampilkan semua tombol yang mungkin diperlukan pengguna untuk navigasi.

Chrome Screenshot

Google telah menyediakan berjuta ekstensi yang dapat kita instal melalui Webstore komprehensif, kita dapat menemukan semua jenis aplikasi atau ekstensi, mulai dari pendidikan untuk permainan, gaya hidup dan blogging, dan masih banyak lagi ekstensi atau aplikasi yang disediakan.

Google Chrome sangat aman dan memudahka jika terjadi error sangat mudah diatasi. ketika kita mengunjungi lebih dari satu situs Web, lalu jika terdapat salah satu halaman web yang terjadi crash, kita hanya perlu menghentikan tab nya (pada halaman yang terjadi crash), tanpa harus menutup seluruh browser.

Dengan Lisensi Gratis (Freeware) dan sering melakukan update membuat browser ini semakin banyak penggunanya, dirancang dengan kesederhanaan desain yang enak dipandang mata. dan juga dengan beragam fitur aplikasi tambahan (add-ons) membuat browser ini sangatlah populer.


Pada versi ini tidak terlalu mengungkapkan tentang perubahan yang dibuat, Hanya Membangun dan membahas beberapa regresi yang dikenal dan mengenai masalah stabilitas.

DOWNLOAD FILE:
Judul:
Google Chrome 28.0.1500.95 Final
Nama file:
28.0.1500.95_chrome_installer.exe
File size:
32.23MB
OS:
Windows XP / Vista / Windows7 / XP64 / Vista64 / Windows7 64 / Windows8 / Windows8 64
Bahasa:
Multiple languages
Lisensi:
Author:
Open Source
Google (www.google.com)

Siahkan download Google Chrome 27.0.1453.110 Final Version melalui link download dibawah ini:

Update pada versi Final ini adalah:
# Fixes:
- Origin bypass in frame handling.
- Type confusion in V8.
- Use-after-free in MutationObserver.
- Use-after-free in DOM.
- Use-after-free in input handling.
- Various fixes from internal audits, fuzzing and other initiatives.

Sources of : Filehippo.com

Free Download Flash Player 11.8.800.129 Beta Update Terbaru

Flash Player
Free Download Adobe Flash Player 11.8.800.129 Beta (Non-IE) New Update Terbaru 2013 - Ini adalah versi Flash Player 11.8.800.129 yang terdapat pembaruan masalah pada stabilitas dan kemanan. Download Flash Player Offline Installer Gratis.

Adobe Flash Player adalah plugin browser yang memberikan konten berkualitas tinggi untuk komputer Anda dan bekerja dengan hampir pada semua browser yang populer digunakan.

Dengan menginstal Adobe Flash Player runtime, Anda akan dapat mengakses konten streaming online kualitas tertinggi dan lancar, dan juga untuk memutar video HD online tepat di dalam jendela browser Anda.

Adobe Flash Player bekerja pada browser yang paling populer yang termasuk Internet Explorer, Mozilla Firefox, Google Chrome, Safari dan Opera.

Adobe Flash palyer sudah menjadi kebutuhan penting untuk diinstal pada setiap komputer, hal itu dikarenakan untuk menikmati mengakses konten dinternet dengan kinerja menampilkan plugin browser anda.

Adobe Flash palyer telah diinstal pada lebih dari 750 juta yang tersambung ke Internet desktop dan perangkat mobile, Flash Player memungkinkan organisasi dan individu untuk membangun dan memberikan pengalaman untuk mengakses digital yang besar kepada pengguna mereka.
  • Immersive pengalaman dengan Flash, konten video dan aplikasi dengan modus layar penuh.
  • Low-bandwidth, video berkualitas tinggi dengan teknologi kompresi canggih.
  • Tinggi-fidelity teks menggunakan mesin rendering teks canggih.
  • Real-time efek dinamis dengan filter untuk Blur, dropshadow, Glow, Bevel, Gradient Glow, Bevel Gradient, Peta Pengungsian, lilitan, dan Warna Matrix.
  • Inovatif komposisi media yang dengan 8-bit alpha channel video.
  • Blend mode, gradien radial, dan perangkat tambahan stroke.
  • Tambahan format gambar: GIF, JPEG Progresif, dan PNG.
  • Download ini adalah installer mandiri untuk Firefox, Opera dan lainnya Gecko berbasis browser.
Silahkan didownload dengan mengklik Link Download dibawah ini yang malalui situs resmi adobe flash player.
Untuk versi lama Flash player dapat didownload dari Adobe di http://www.adobe.com/go/tn_14266

Pada versi Flash Player 11.8.800.129 Beta (Non-IE) ini terdapat pembaruan pada beberapa stabilitas dan peningkatan keamanan. Silahkan di download untuk update terbaru ini.

Download Freemake Video Converter 4.0.3.0 Final Update Terbaru

Freemake Video Converter
Free Download Freemake Video Converter 4.0.3.0 New Update Terbaru 2013 - Gratis Freemake Video Converter Full Version - Freemake Video Converter adalah aplikasi convertor yang dapat mengkodekan beberapa video dan beberapa format ke ekstensi lainnya yang mencakup AVI, MP4, MPEG, WMV, 3GP, DVD, HD, MKV, MP3, WMA, FLAC format dan masih banyak lagi yang lainnya.

Aplikasi ini juga didukung dengan antarmuka yang sangat intuitif dan menarik. Anda juga dapat melakukan "drag and drop" untuk menambahkan file yang akan di convert ke dalam antrian, Anda dapat melihat thumbnail, total waktu dan pengaturan audio / video, serta preview video dalam media player eksternal.

Anda juga dapat menyandikan file ke AVI, MP4, WMV, DVD, MP3, Apple, Blu-ray dan profil lain, dan dengan demikian, Anda dapat mengkonfigurasi ukuran frame, lebar dan tinggi, penyesuaian, video codec, frame rate dan bitrate, serta codec pilih audio, saluran, tingkat frekuensi sampel dan bitrate.

Freemake Video Converter 4.0.0.15

DOWNLOAD FILE :
Judul
: Freemake Video Converter 4.0.3.0
Nama file
: FreemakeVideoConverter_4.0.3.0.exe
File size
: 26.94MB
OS
Windows
Bahasa
: Multi bahasa
Lisensi
Author
: Gratis
: Ellora Assets Corporation (www.freemake.com)

Klik tombol download di bawah ini untuk mendownload Freemake Video Converter 4.0.3.0:




What's New in Freemake Video Converter 4.0.3.0?
- Added the support for Fraps files
- Added the possibility to convert 10bit video
- Added the possibility to convert DV AVI files
- Added the possibility to decode WAV files with DTS codec
- Added the possibility to convert MP3 files with MPEG audio codec
- Added the possibility to convert AMR files
- Fixed the issue with incorrect audio detection
- Fixed the issue with incorrect aspect ratio detection
- Fixed the issue with MOV files opening
- Fixed the issue with M2V files conversion
- Fixed the issue with TRP files conversion
- Fixed the issues with cut function
- Fixed the issue with opening DVD disks with CPPM protection
- Fixed the issue with opening many audio/video/DVD/URLs files at once
- Fixed the issue with autocrop
- Fixed the issue with adding Freemake logo to short videos
- Fixed the issue with desynchronizing of audio and video after editing
- Fixed the issue with converting to PSP, iPad 3
- Fixed the issue with displaying files with Display Aspect Ratio
- Fixed the issue with download from YouTube, YouTube Vevo, Dailymotion

Source of : Filehippo.com