RVT v0.2.1  include new features and some little improvements:

• LNK files parsing
• Harlan Carvey, author of the well-known Windows Incident Response blog, has kindly provided us with brilliant Perl code to parse Windows event files (EVT extension). Thus RVT now integrates the script ‘evt’, which can output text versions of the EVT files (script evt generate); it can also generate some stats about each EVT (script evt report). We would like to sincerely thank Harlan for his support and his useful code.
• f-strings: an forensics version of Binutils strings command
• extended shell history
• and all the little changes and corrections published on this blog since v0.2
• updated User Guide

Read The Revealer Toolkit website for more information.

This will speed up the scanning for one case, that will be critical for RWA, although it raises other problems (configuration update time) that will be solved soon.

You know what binutils’ strings command do: extract printable characters from a binary file.  Although it supports various character sets (plain ascii, utf8, utf16, in little and big endian), only support one each time you execute it. And it is not very good with mixtures of character sets on the same file.

f-strings extracts sequences of all that seems a printable character out of a binary file, written in plain ASCII, utf8 or utf16 (little endian only). That means that usually will extract more noise than binutils’ strings, but only one execution is needed.

Moreover, f-strings translates special characters to their plain ASCII equivalents. For example, f-strings translates ‘á’, ‘Á’, ‘à’, ‘À’, ‘ä’, etc., to ‘a’. Also translates spanish and catalan special characters ( ‘ñ’ and ‘ç’  to  ’n’ and  ’c').

Finally, it lowercases all the output.

For example:

$ cat accentuated.txt
el sinvergüenza de José es un ñoño y es del barça

$ ./f-strings accentuated.txt
el sinverguenza de jose es un nono y es del barca

f-strings is open source (GNU/GPL v2.0), and can be downloaded from the Revealer Toolkit web page (here).

Here you have the f-strings’ help as printed with ‘f-strings -h‘:

Revealer Tools, forensic strings, 09-2009
USAGE: f-strings [-t] [-n <number> ] [-f]

-t Print the location of the string in base 10
-n Locate & print any sequence of printable characters
of at least characters (default 4)
-h Display this information

f-strings get a file and prints at stdout all printable characters
like binutils' strings function, BUT:
- convert all that 'seems' latin1, UTF-8 and UTF-16, little endian
to plain ASCII
- translates some special characters. For example, accented a's are translated
to the ASCII character 'a'. All vowels, plus spanish and catalan special
characters are translated
- lowercases all printable characters

known issues:
- only one file at each execution
- offset is printed only in base 10, so argument -t do not
accept subarguments, and '-t' is equivalent to '-t d' of
binutils' strings
- \x00 characters are ignored, so in a hard disk full of zeros
with 'Hey ' at the begining and 'Ho' at the end, f-strings will
extract the string 'Hey Ho'

more information at http://code.google.com/p/revealertoolkit/

Enjoy and feedback!

Also, some automatic reporting is begining to work, although will be greatly redesign in the next months. See RVT commands script report for more information.

Some other little improvements:

• greater command history (greater than one!)
• improvement of lock files (XML configuration, mainly)
• greater readpst verbosity on results
• little sketch for a web interface

RVT >  script lnk generate <disk>

and a CSV file on output/lnk will be created with info of all LNK files of the disk (with LNK extension). This command requires other command to be executed before:  script files allocfiles or an error will occur. Command dependencies is something we are working on and, I hope, will be solved in version 0.3.

This function depends also on the dumplnk.pl script adapted by Luis Gómez (RVT team member) from the original lnk-parse.pl, by Jacob Cunningham, all GNU/GPL (thanks, open source!), and distributed with RVT (look in the tools folder of the source code, or here)

Due to limitations in Google Code hosting, the VMWare is hosted in sourceforge.net:

• RVT-v0.2.tar.gz
• Authentication:   root / 12345  and  analyst / 12345

Log in as analyst and run RVT with the command:

$ rvt

• http://revealertoolkit.googlecode.com/files/RVT_v0.2.zip
• svn checkout http://revealertoolkit.googlecode.com/svn/branches/RVT-v0.2 RVT-v0.2-read-only

Also, User Guide has been greatly improved with examples and operational guides (see http://revealertoolkit.googlecode.com/files/RVT-userGuide.pdf ).

and finally, a Google Groups newsletter has been created and used for the community to share doubts, ideas and problems ( http://groups.google.com/group/revealertoolkit ). Do not hesitate to contact us!

Stay tunned because important improvements are planned for future versions.

plot_time.pl, located under the RVT/tools folder of the RVT’s svn repository (check it out), it’s a Perl script that plots bar graphs out of files in which each line contains values, being one of them time. It will be handful to represent values on time, or to count the numbers of lines by period of time. This script needs gnuplot 4.2 or greater on your path. Moreover, it uses the powerful Perl module Date::Manip to parse almost every known date format, and can be installed easily from CPAN or APT (apt-get installlibdate-manip-perl).

plot_time.pl works in two modes: representing values as a function of time (mode 1) and representing count of lines as a function of periods of time (integrates the appearance of values over every period defined).

Mode 1. Let’s be itimeline-02.csv a timeline generated with RVT, and let’s imagine that we want to represent graphically the size of the files, as a function of time, on July 5th 2008. We execute the following command:

perl plot_time.pl -interval=’20080705 + 1 day’ -tf 1 -vf 2 itimeline-02.csv

Where ‘tf’ option marks that the first field is the ‘time field’, and ‘vf’ option establishes that the value to be plotted is the second (file size). The following graph is generated:

plot_time.pl generated graph in Mode 1

Mode 2. This mode is activated with the ‘-sum’ option, and the period is established with ‘-period’ option, with anything that Date::Manip can understand (‘day’, ‘hour’, …). So, executing the following command on the same data:

perl plot_time.pl -interval=’20080705 + 1 day’ -tf 1 -sum -period=’hour’ itimeline-02.csv

generates the following graph:

plot_time.pl generated graph in Mode 2

Also:

• you can pipe your filtered timelines into plot_time.pl ( f.ex.:  grep -i ‘myfile.png’ itimeline-02.csv | perl plot_time.pl … )
• plot_time.pl skips comment lines, and also it can skip a number of lines with ‘-skiplines’ option
• plot_time.pl will ignore lines that match a regular expression when option ‘-excluderegexpr’ is used
• see plot_time.pl –help for more info

We are now planning some new features on plot_time.pl, so stay tunned!

• assign one, or more, iscsi nodes generated with f-response to linux devices. Documentation on open-iscsi commands are found elsewhere
• assigned devices can be seen with the following open-iscsi command:

iscsiadm -m session -P 3

• now, on your morgue/images/<case> directory, create a symbolic link to each of the devices, with the right RVT nomenclature (<case>-<device>-<disk>.dd).  Check the permissions!

# ln -s /dev/sdX 100xxx-yy-z.dd

• run RVT, scan your morgue and use all the functions at convinience!

RVT> images scanall

Feedback if you find problems!

The problem appears when an adquisition has to be done at your customer’s offices, and when digital evidences must be burned on CD and hashed  in front of your customer, the lawyer, the notary, the guy you are going to investigate …   on your shiny Mac. Here are the steps that i use on these special occasions:

• first, on the desktop, and create a Burn Folder right-clicking and selecting Burn Folder from the emergent menu
• i drag and drop on it all the files that will be included as electronic evidences on this chain of custody
• a double-click on the folder opens it. A button named Burn appearson the upper-right corner, so you can press it after introducing a blank CD or DVD

Now, the interesting stuff:  you need to calculate the hash and probably to burn identical copies with an identical cryptographic hash.

• introduce the CD or DVD and, on a terminal, write down the command  diskutil list that will provide  a list of devices used by your CD

$ diskutil list/dev/disk2
…

#:                       TYPE NAME                    SIZE       IDENTIFIER
0:        CD_partition_scheme                        *6.8 Mi     disk2
1:     Apple_partition_scheme                         6.0 Mi     disk2s1
2:        Apple_partition_map                         31.5 Ki    disk2s1s1
3:                  Apple_HFS Carpeta de grabación   4.9 Mi     disk2s1s2

• install a hash command line tool. I use sha256deep included in the Mac Port md5deep (sudo port install md5deep)
• you must hash the Apple_partition_scheme associated raw device.  In this example, the associated raw device will be /dev/rdisk2s1  . Be careful in using  rdisk, not disk, because the second requires you to unmount the CD:

$ sha256deep /dev/rdisk2s1

108143e8b1460cc2e8983bcc06cf792ea9837174c203c8cd4ab50ee87c9c5d9d  /dev/rdisk2s1

Making copies of the CD:

• For some reason i don’t know, a dd command won’t work, so i use cat:

$ cat /dev/rdisk2s1 > image.cdr

• check the hash:

$ sha256deep image.cdr

108143e8b1460cc2e8983bcc06cf792ea9837174c203c8cd4ab50ee87c9c5d9d  image.cdr

• and burn the image so many times you need it with Toaster or Disk Utility

Note:

• this method will also work  with monosession CD recorded elsewhere. In those cases, diskutil should not show the Apple partition scheme but the data directly after the CD scheme:

/dev/disk2
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:        CD_partition_scheme                        *785.4 Mi   disk2
1:              CD_ROM_Mode_1 wifislax-3.1            683.9 Mi   disk2s0