FacebookTwitter

Useful foundstone tools

By on Dec 12, 2006 in Security | 0 comments

Share On GoogleShare On FacebookShare On Twitter

Dump Firefox AutoComplete Data:

This program is used to dump all stored forms in FireFox browser, I am used to work with FireFox and usually keep non-important in form auto complete database of the FireFox. Besides, it sometimes, keeps the search engine forms, this might be used in cases which we need to know if the suspect searched for a specific topic, and this might give us some clues about it.

I found some interesting information from my AutoComplete data, I partially collect them and described them below:


Hi peter
Fwd: Ploter-Role-Paper
Fwd: Price-List
Fwd: Re: Hi
Fwd: liste gheymate khaghaz plotter roli......
Re: Anti-Spam Features
Re: Anti-Spam Features Follow-up
Re: Re: Anti-Spam Features
az tarafe man !!!
nice to hear from you :-
test

As you can see, subjects of e-mails that I have sent so far are stored within this XML code, besides, if I know which webmail system uses “Subj” as name of the text field, I might be able to know the user name and e-mail address!

Take a look at this one:


sarbanha


.....@yahoo.com

As you can see, texts in red may reveal some fact about my yahoo mail user ID and e-mail address that should be studied and searched.

Search boxes contain much of information about the criminal, collecting this information would be useful to reveal the area of interest of criminal. Look at the following sample:


('E4'/
('E4'1
*BHE ED'/ (G 4E3
007 Key logger
4GL programming languages
AD*1 4F
Academic Press
Access, Internet, and Public Libraries filetype:pdf
Active Code Review
Avaro
Axis 211 Outdoor 290B BDL
Bare Bones language
Campus networking solutions
Cisco Virtual interface
Cisco Virtual interfce
City Facilities
Collin
Computer Forensics Laboratory Personnel
DOI 10.1109/MS.2002.1003455
DWL-3200ap
David Wang
Dell 5100c
Developers and testers relationship
Digital Evidence and computer Crime
Digital Object Identifier 10.1109/CCECE.2005.1557152
Dubai Hotels
Ethernet checksum error
Exensys mail server
Factbook 2006
Fiber Optic
Fiber Optic Solutions
Forensic Labratory Equipments
Forensic compression
Forensic compresstion
French quotes
How can I forward traffic from Cisco to another host
How to prevent windows to show last login user
Integrated cable MAN network
Java Array of class
Key Logger
Loading Tcp Mib library error
MS IAS
MS Windows SMB
Mail Server appliance
Mc Afee antivirus solutions
Netmeeting ports
Network Attached Server
Network Attached Storage
Online traffic control system
Outdoor Internet Camera
Panasonic 1232
Panasonic D1232
Panasonic KX-T7720
Performa Invoice
Prolific technology inc
Shared excell workbook
Tcp Mib
Technical Review procedures
Web page HTML picture opacity
What is outsourcing
What is software usability
Where is Windows Virtual Memory File
Windows 2k3 price list
alles kondeh
computer forensics and countries law
computer forensics companies products and services
countries top searches
defnce attorny evidence
differences between prpject management and project manager
eclipse
ethereal
ethical issues of criminal activities
forensics tools and software
free key logger
guten appetit
hard disk low level storage magnetic mechanism
hercules five myths
how to use test packages in NetBeans
magnetic flow
miriam webster
ndictionary
network interception using Cisco routers
open dictionary
sarbanha
uBR7200
waterfall development
what is chain of custody
wish you a merry cristmas

As you can see, there are lots of computer technical queries which are sent to search engines, this can reveal that the user either is interested in computer science or is an IT professional. Besides, he was looking for David Wang on the net, so there must be connection between these two people, moreover, the suspect searched for key logger which is illegal in most countries! Therefore, one might deduct that the suspect is an expert and he was looking for key logger software may be for a personal ID or information theft.

Rifiuti – A Recycle Bin Forensic Analysis Tool:
This is another software that I thought is important, it helps investigators to find out if a removed file were originally located at the place that the suspect claim, it might be useful to reveal any possible connection between the committed crime and the time of file deletion.

Forensic Toolkit:
This toolkit contains few other small tools that help to reveal valuable information about the files and other system information. One of them that I found it useful was FileStat.exe, by this program, we can find out too many detailed information about a specific file, let’s take a look at a sample output,

SD revision is 1 == SECURITY_DESCRIPTOR_REVISION1
SD's Owner is Not NULL
SD's Owner-Defaulted flag is FALSE
SID = THINKJAMMER/Mohammad Ali S-1-5-21--995922081--242068703-823878108-1005
SD's Group-Defaulted flag is FALSE
SID = THINKJAMMER/None S-1-5-21--995922081--242068703-823878108-513
SD's DACL is Present
SD's DACL-Defaulted flag is FALSE
ACL has 3 ACE(s), 88 bytes used, 0 bytes free
ACL revision is 2 == ACL_REVISION2
SID = THINKJAMMER/Mohammad Ali S-1-5-21--995922081--242068703-823878108-1005
ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
ACE 0 size = 36
ACE 0 flags = 0x00
ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
ACE 1 size = 20
ACE 1 flags = 0x00
ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
ACE 2 size = 24
ACE 2 flags = 0x00
ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SD's SACL is Not Present
Stream 1:
Type: Security
Stream name = Size: 164

Stream 2:
Type: Data
Stream name = Size: 5087

Stream 3:
Type: Unknown
Stream name = Size: 64

As you can see, it shows the user access properties of a file; this might be used to check if it’s possible for a particular user to perform any action. For example, the user Mohammad Ali can Read, Write, Execute, Delete and even change the permissions and taking the ownership of it. (This can be learnt from ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN).

It also reveals the ownership of the file. Well, one might argue that this feature is available by windows itself, but the main advantage of this program is ability of retrieving and extracting information to the standard output by which we can store this information into another text file or print it.

Note: This article is prepared for the University of Liverpool.

Submit a Comment

Your email address will not be published. Required fields are marked *

Pin It on Pinterest

Shares