Friday, November 26, 2010

Encase v6 Comprehensive Internet History Search and Firefox Mork Databases

Encase version 6 now includes considerable functionality in recovering Internet History records for a number of browsers.

In a recent case using v6.12.1 I ran a search for internet history with the Comprehensive search option selected. My results included relevant hits in unallocated clusters which Encase attributed to Mozilla History/Forms. The results are recorded within the Encase Records tab and when highlighting a record some data was highlighted in the view pane which made me scratch my head - and luckily loosen some cobwebs in a long ago abandoned area of my brain. What was Encase showing me


My suspect was using Firefox version 1.8. Firefox can save (subject to user configuration) information entered into web forms and the search bar to make form filling and searching faster. This information is saved in a file known as formhistory.dat. Encase had found data within unallocated that was a fragment of a deleted formhistory.dat file. In this version of Firefox formhistory.dat contained a Mork database. Encase had highlighted in the view pane what I will loosely refer to as the address of the data that it had parsed out.

[8(^83^83)(^82^8A)]

To understand this better we need to look more closely at all the data in the database. Because the hit was in unallocated I needed to find the start of the deleted formhistory.dat file. The file signature of the file is highlighted in the screenshot below
so I scrolled up in the view pane, found this header and swept down to the footer (which is the } after the last address) and exported out the data as a file

Open the file with Notepad and find/replace all the $00 strings with an empty string. The file now looks a lot more readable

In the example we are working through the address we are interested in is

[8(^83^83)(^82^8A)]

which can be seen shown in red at the bottom of Screenshot 4 above. This address is a row within the Mork database. The row is delimited with open and close square brackets [] and is made up of a Row Object ID followed by a series of cells delimited by open and close brackets (). The cells contain a column name and a value.

The column names are defined within a dict delimited with <> shown in green at the start of Screenshot 4 above. It can be seen that two column names are relevant here name and value, given object ids of 83 and 82 respectively.

The values are defined within the next dict down. The one relevant to our address are shown in red.

[8(^83^83)(^82^8A)]

decodes to

[8(^Name^searchbar-history)(^Value^vmware fusion)]

The Name column contains the type of record - searchbar-history means what it says on the tin, other values may relate to various fields found on web page forms. The query field on the Google Firefox start page is represented by q .

Encase does not report these records particularly well. I chose to export relevant records into a spreadsheet and manually add the physical sector and sector offset of each row.

References
https://support.guidancesoftware.com/forum/showpost.php?p=115379&postcount=2
http://www.mozilla.org/mailnews/arch/mork/primer.txt
https://developer.mozilla.org/en/Mork_Structure

How To Load DD Images into EnCase TM

If you are dealing with a forensic hard drive copy that is in DD format, it is a simple but not intuitive process to load that drive image into EnCase.

Here’s how you do it.


Step 1:  From the File Menu, Select Add Raw Image

Step 2: Select the type of image you need to load.  Is this example I am going to load a Disk Image






Step 3: Right click in the Component Files area and Select New


Step 4: Browse to the folder containing the images and sort them in ascending order.

Step 5:  Select all of the parts of the DD image.


Step 6: Click OK to load the image parts into the Component Files dialog.

Step 7: Click OK again to load the parts into Encase

You should now see the drive image correctly mounted in EnCase.


Post comments, for more EnCase Stuffs........