±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 9
New Yesterday: 3
Overall: 27150
Visitors: 54

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

null glyphs in mounted .msi files

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

null glyphs in mounted .msi files

Post Posted: Fri Aug 21, 2009 11:28 am

I have a .msi file that I have mounted inside EnCase. Just like when I mount Office Documents, I get to see what's inside.

There are several children inside the compound volume container.

I see names in English like "Summary Information"

I also see a bunch of names that are null glyphs [] (just a box). Usually this is a font issue. I'm using a unicode font. I've got all my language settings within windows set to allow all languages (asian, etc).

If you wanna play along at home, XP machines with patches should have this file. The MD5 Hash is: f42dddd518b982cd2bdb0af7d5171359

How do I display these entry names correctly? Do they even have a name that can be displayed? Is this another example of Microsoft not using their own standards?

If any of you have had this issue... respond letting me know I'm not the only one. Maybe the smart kids will help if I get enough "oh yeah I've always wondered about that" responses.  

walter127.0.0.1
Newbie
 
 
  

Re: null glyphs in mounted .msi files

Post Posted: Fri Aug 21, 2009 1:03 pm

- walter127.0.0.1

I also see a bunch of names that are null glyphs [] (just a box).


This really doesn't help much. It's clear that you've looking at an MSI file as if you'd opened it in a hex editor, but I'm not sure how you're getting "names that are null glyphs".

I opened a couple of MSI files in a hex editor and I see boxes in the translated information where the hex is 7F or 8F...but that's just a byte and not a name.

Can you elaborate on what you're seeing? Most times when someone says "name", one would expect a string of characters, but "just a box" indicates perhaps a single byte.

Thanks,  

keydet89
Senior Member
 
 
  

Re: null glyphs in mounted .msi files

Post Posted: Fri Aug 21, 2009 2:32 pm

When I say name, I mean the name column in EnCase where I mount the file. For example, if I mount a MS word file, I see the following tree:
winword.doc
- Compound Volume
- Root Entry
- author
- subject
blah, blah blah.

The tree is just a way for EnCase to display information that can be determined by manually looking at the file in hex, or by viewing the properties within windows explorer. If I knew what I was looking at inside a mounted .msi file, I could use a hex editor and figure it out, but I don't know what I'm looking at, so it makes it difficult. Methedologies for dealing with stuff like this is appreciated.

What started all this for me was an issue I was having concerning how non-latin characters are displayed in EnCase. The case I'm working had some non-latin Characters that were not being displayed properly. I determined my issue was that EnCase was not using a Unicode font. That problem was solved after I read a CEIC presentation from 2008 talking about language display issues in EnCase. (https://support.guidancesoftware.com/node/1537). This is where I discovered the term null glyph. I'm glad I have a phrase to use to describe this behavior. The behavior described is when a character cannot be displayed because the font does not support it. EnCase shows a box, windows command prompt shows question marks.

I don't think the names are characters that correspond to what EnCase uses to display a null glyph character. The listing shows "names" with character length varying from 3 to 8 characters. I could be wrong on this.

When I realized the file I am examining is actually part of the known good hash set that we use, I realized the information is probably not malicious. However, I am still interested in determining why the info is displayed the way that it is.

If you'd like any more information, lemme know. Thanks for the quick response.  

walter127.0.0.1
Newbie
 
 
  

Re: null glyphs in mounted .msi files

Post Posted: Fri Aug 21, 2009 3:22 pm

Since you're using EnCase, wouldn't it be a good idea to get on the EnCase forums, and search for this? I mean, what version of EnCase are you using, etc...there's still a lot of information that could come into play here, so maybe you can find some answers if you search the forums.

Good luck.  

keydet89
Senior Member
 
 
  

Re: null glyphs in mounted .msi files

Post Posted: Mon Aug 24, 2009 7:23 am

I have searched the EnCase forums. Perhaps you noticed I cited the EnCase forums above. Lots of reasons to ask this question outside of the EnCase forums. A couple are:

- I think Forensic Focus is a larger community, so I can reach a larger audience for an answer.

- The answer may be a third party utility, so a post here has a higher chance to provide an answer or workaround as opposed to a feature request that I'll have to wait months for.

If you have suggestions on the answer, I appreciate hearing it.  

walter127.0.0.1
Newbie
 
 
  

Re: null glyphs in mounted .msi files

Post Posted: Mon Aug 24, 2009 8:11 am

I have found a Perl module that might be helpful...do you have a sample MSI file I could use for testing?

Thanks,

h  

keydet89
Senior Member
 
 
  

Re: null glyphs in mounted .msi files

Post Posted: Mon Aug 24, 2009 9:07 am

There are a couple of tools (freely) available to look at MSI files:

(1) Microsoft's own tool, Orca.exe, made available as part of the MS Windows SDK, or

(2) Insted from www.instedit.com/

Neither are forensic tools, both are for editing of MSI files and contents, but used on a copy of your file might help your examination. Insted is probably easier to grab, since Orca requires download of the (large) SDK from MS (though you may also find it elsewhere, I dont know).

Hope that helps,

Phil.  

pwakely
Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next