Carving $J with sca...
 
Notifications
Clear all

Carving $J with scalpel and/or foremost

8 Posts
3 Users
0 Likes
803 Views
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

Hello everyone… wow it's been ages since i last posted something here.. feels somewhat nostalgic )

To be honest posting this question i feel a little dumb, because i really cant figure out what's my problem with these two softwares that i cant get to work the way I want.

Basically my objective is to attempt for carving lost NTFS USN Journal records in the unallocated space, in the hope of finding some important informations that can really give me a boost in a case i'm working on.

I've read a couple of articles on the topic, and found a bunch of things also on github that helped me out in understanding the topic, but appearently it wasn't enaugh.

the most detailed one i could find was this article http//forensicsfromthesausagefactory.blogspot.it/2010/08/usn-change-journal.html

anyway.
I've downloaded and compiled the latest version of scalpel from github sleuthkit repository (2.1) that states it's supporting regular expressions and wrote the following signature rule


usn y 641024 /\x00\x00\x02\x00\x00\x00.{31}\x01.{17}[\x00\x01]\x3C\x00/

the result is that it doesn't find anything.

A bit disappointed i decided to test the rule on something that i'm sure contains USN Journal record i've extracted the $J ADS and tried to run scalpel on it again same result, nothing came out.. but i know that the $J ADS contains valid data, because i can properly parse it using appropriate parsing scripts.. so something is definitely wrong.

so here comes the question
according to this image (sorry but i couldn't find a proper way to provide a good visualization experience
http//i.imgur.com/u3m2OeD.png

what is wrong? isn't the regexp above supposed to match and properly carve the highlighted record in the image?

i've also tried using a signature without regular expressions with the good old foremost
using the signature


usn y 641024 \x00\x00\x02\x00\x00\x00???????????????????????????????\x01??????????????????\x00\x3C\x00
# usn y 641024 \x00\x00\x02\x00\x00\x00???????????????????????????????\x01??????????????????\x01\x3C\x00

but again.. nothing.

what am i doing wrong? i'm not a grand master of carving and regular expression… maybe someone of you gurus can give me an help on this.

Thanks in advance.

 
Posted : 24/08/2016 12:48 am
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
 

Your best bet is a one two punch of running Joakim Schicht's UsnJrnlCarver against your input followed by running his UsnJrnl2Csv against the carved data.

We've spent an enormous amount of time at Arsenal with Joakim's tools and there is no one more responsive in terms of bug reports and feature suggestions. Basically, if you haven't tried his tools, now is a good time!

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed

 
Posted : 24/08/2016 1:20 am
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

didn't know someone wrote and published an USN journal record carver..

that's exactly what i needed! thanks!

I'm giving it a shot running it against an output from blkls and see what happens.

thanks very much for the suggestion

 
Posted : 24/08/2016 1:32 am
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
 

You're welcome and good luck! You may want to try MFT and INDX carving as well while you are at it. My last couple articles in Digital Forensics Magazine discuss in detail how we have used active and carved NTFS metafile records in high-profile cases… if you get a chance check the articles out and feel free to contact me as well.

 
Posted : 24/08/2016 1:36 am
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

in the meanwhile i picked quickly at the source code for the usn journal parser..

appearently it looks for the header \x00\x00\x02\x00\x00\x00 without any further boundary check like the \x00\x3c landmark

according to what i could notice by analyzing an USN journal at the hex editor, and by looking at the MSDN documentation for the USN Journal data structure, the entry signature should be something like this

\x00\x00\x02\x00\x00\x00 header
31 uncategorized bytes
\x01
17 uncategorized bytes
\x00 or \x01
\x3c\x00

but i might be wrong, and this might be the reason why i cant carve out anything using it.

this is the reason why i asked, in the first place, if in your (anyone in this forum) opinion the regexp was correct, or if it had something wrong that could screw the result )

anyway, i'm running the usn journal carver now, let's see what i'll get )
it'll take its time

 
Posted : 24/08/2016 2:21 am
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
 

I haven't used regular expressions other than Joakim's to carve $UsnJrnl records, but I can tell you that it's not uncommon for us to recover millions of these records from unallocated space using the combination of UsnJrnlCarver and UsnJrnl2Csv.

It will take some time to go through the process of carving, parsing, and finally analyzing once dumped into a database (based on the typical volume of carved records from unallocated space, spreadsheet applications will probably not be an option), but I'm sure you'll find it worthwhile.

 
Posted : 24/08/2016 2:29 am
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

yes it's almost finished processing the unallocated space from the partition image, and there will be tons of records.

hopefully some bash or python for grepping and filtering will do the job, as i already know exactly what i'm looking for.

 
Posted : 24/08/2016 3:41 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Also useful to know that you can carve these records with X-Ways and it will add these to the timeline view as events.

 
Posted : 24/08/2016 12:07 pm
Share: