±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36783
New Yesterday: 2 Visitors: 140

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

null glyphs in mounted .msi files

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 


null glyphs in mounted .msi files

Post Posted: Aug 21, 09 22:28

I have a .msi file that I have mounted inside EnCase. Just like when I mount Office Documents, I get to see what's inside.

There are several children inside the compound volume container.

I see names in English like "Summary Information"

I also see a bunch of names that are null glyphs [] (just a box). Usually this is a font issue. I'm using a unicode font. I've got all my language settings within windows set to allow all languages (asian, etc).

If you wanna play along at home, XP machines with patches should have this file. The MD5 Hash is: f42dddd518b982cd2bdb0af7d5171359

How do I display these entry names correctly? Do they even have a name that can be displayed? Is this another example of Microsoft not using their own standards?

If any of you have had this issue... respond letting me know I'm not the only one. Maybe the smart kids will help if I get enough "oh yeah I've always wondered about that" responses.  

Senior Member

Re: null glyphs in mounted .msi files

Post Posted: Aug 22, 09 00:03

- walter127.0.0.1

I also see a bunch of names that are null glyphs [] (just a box).

This really doesn't help much. It's clear that you've looking at an MSI file as if you'd opened it in a hex editor, but I'm not sure how you're getting "names that are null glyphs".

I opened a couple of MSI files in a hex editor and I see boxes in the translated information where the hex is 7F or 8F...but that's just a byte and not a name.

Can you elaborate on what you're seeing? Most times when someone says "name", one would expect a string of characters, but "just a box" indicates perhaps a single byte.



Re: null glyphs in mounted .msi files

Post Posted: Aug 22, 09 01:32

When I say name, I mean the name column in EnCase where I mount the file. For example, if I mount a MS word file, I see the following tree:
- Compound Volume
- Root Entry
- author
- subject
blah, blah blah.

The tree is just a way for EnCase to display information that can be determined by manually looking at the file in hex, or by viewing the properties within windows explorer. If I knew what I was looking at inside a mounted .msi file, I could use a hex editor and figure it out, but I don't know what I'm looking at, so it makes it difficult. Methedologies for dealing with stuff like this is appreciated.

What started all this for me was an issue I was having concerning how non-latin characters are displayed in EnCase. The case I'm working had some non-latin Characters that were not being displayed properly. I determined my issue was that EnCase was not using a Unicode font. That problem was solved after I read a CEIC presentation from 2008 talking about language display issues in EnCase. (https://support.guidancesoftware.com/node/1537). This is where I discovered the term null glyph. I'm glad I have a phrase to use to describe this behavior. The behavior described is when a character cannot be displayed because the font does not support it. EnCase shows a box, windows command prompt shows question marks.

I don't think the names are characters that correspond to what EnCase uses to display a null glyph character. The listing shows "names" with character length varying from 3 to 8 characters. I could be wrong on this.

When I realized the file I am examining is actually part of the known good hash set that we use, I realized the information is probably not malicious. However, I am still interested in determining why the info is displayed the way that it is.

If you'd like any more information, lemme know. Thanks for the quick response.  

Senior Member

Re: null glyphs in mounted .msi files

Post Posted: Aug 22, 09 02:22

Since you're using EnCase, wouldn't it be a good idea to get on the EnCase forums, and search for this? I mean, what version of EnCase are you using, etc...there's still a lot of information that could come into play here, so maybe you can find some answers if you search the forums.

Good luck.  


Re: null glyphs in mounted .msi files

Post Posted: Aug 24, 09 18:23

I have searched the EnCase forums. Perhaps you noticed I cited the EnCase forums above. Lots of reasons to ask this question outside of the EnCase forums. A couple are:

- I think Forensic Focus is a larger community, so I can reach a larger audience for an answer.

- The answer may be a third party utility, so a post here has a higher chance to provide an answer or workaround as opposed to a feature request that I'll have to wait months for.

If you have suggestions on the answer, I appreciate hearing it.  

Senior Member

Re: null glyphs in mounted .msi files

Post Posted: Aug 24, 09 19:11

I have found a Perl module that might be helpful...do you have a sample MSI file I could use for testing?




Re: null glyphs in mounted .msi files

Post Posted: Aug 24, 09 20:07

There are a couple of tools (freely) available to look at MSI files:

(1) Microsoft's own tool, Orca.exe, made available as part of the MS Windows SDK, or

(2) Insted from www.instedit.com/

Neither are forensic tools, both are for editing of MSI files and contents, but used on a copy of your file might help your examination. Insted is probably easier to grab, since Orca requires download of the (large) SDK from MS (though you may also find it elsewhere, I dont know).

Hope that helps,


Page 1 of 2
Page 1, 2  Next