null glyphs in moun...
 
Notifications
Clear all

null glyphs in mounted .msi files

10 Posts
4 Users
0 Likes
498 Views
(@walter127-0-0-1)
Posts: 8
Active Member
Topic starter
 

I have a .msi file that I have mounted inside EnCase. Just like when I mount Office Documents, I get to see what's inside.

There are several children inside the compound volume container.

I see names in English like "Summary Information"

I also see a bunch of names that are null glyphs [] (just a box). Usually this is a font issue. I'm using a unicode font. I've got all my language settings within windows set to allow all languages (asian, etc).

If you wanna play along at home, XP machines with patches should have this file. The MD5 Hash is f42dddd518b982cd2bdb0af7d5171359

How do I display these entry names correctly? Do they even have a name that can be displayed? Is this another example of Microsoft not using their own standards?

If any of you have had this issue… respond letting me know I'm not the only one. Maybe the smart kids will help if I get enough "oh yeah I've always wondered about that" responses.

 
Posted : 21/08/2009 10:28 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I also see a bunch of names that are null glyphs [] (just a box).

This really doesn't help much. It's clear that you've looking at an MSI file as if you'd opened it in a hex editor, but I'm not sure how you're getting "names that are null glyphs".

I opened a couple of MSI files in a hex editor and I see boxes in the translated information where the hex is 7F or 8F…but that's just a byte and not a name.

Can you elaborate on what you're seeing? Most times when someone says "name", one would expect a string of characters, but "just a box" indicates perhaps a single byte.

Thanks,

 
Posted : 22/08/2009 12:03 am
(@walter127-0-0-1)
Posts: 8
Active Member
Topic starter
 

When I say name, I mean the name column in EnCase where I mount the file. For example, if I mount a MS word file, I see the following tree
winword.doc
- Compound Volume
- Root Entry
- author
- subject
blah, blah blah.

The tree is just a way for EnCase to display information that can be determined by manually looking at the file in hex, or by viewing the properties within windows explorer. If I knew what I was looking at inside a mounted .msi file, I could use a hex editor and figure it out, but I don't know what I'm looking at, so it makes it difficult. Methedologies for dealing with stuff like this is appreciated.

What started all this for me was an issue I was having concerning how non-latin characters are displayed in EnCase. The case I'm working had some non-latin Characters that were not being displayed properly. I determined my issue was that EnCase was not using a Unicode font. That problem was solved after I read a CEIC presentation from 2008 talking about language display issues in EnCase. (https://support.guidancesoftware.com/node/1537). This is where I discovered the term null glyph. I'm glad I have a phrase to use to describe this behavior. The behavior described is when a character cannot be displayed because the font does not support it. EnCase shows a box, windows command prompt shows question marks.

I don't think the names are characters that correspond to what EnCase uses to display a null glyph character. The listing shows "names" with character length varying from 3 to 8 characters. I could be wrong on this.

When I realized the file I am examining is actually part of the known good hash set that we use, I realized the information is probably not malicious. However, I am still interested in determining why the info is displayed the way that it is.

If you'd like any more information, lemme know. Thanks for the quick response.

 
Posted : 22/08/2009 1:32 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Since you're using EnCase, wouldn't it be a good idea to get on the EnCase forums, and search for this? I mean, what version of EnCase are you using, etc…there's still a lot of information that could come into play here, so maybe you can find some answers if you search the forums.

Good luck.

 
Posted : 22/08/2009 2:22 am
(@walter127-0-0-1)
Posts: 8
Active Member
Topic starter
 

I have searched the EnCase forums. Perhaps you noticed I cited the EnCase forums above. Lots of reasons to ask this question outside of the EnCase forums. A couple are

- I think Forensic Focus is a larger community, so I can reach a larger audience for an answer.

- The answer may be a third party utility, so a post here has a higher chance to provide an answer or workaround as opposed to a feature request that I'll have to wait months for.

If you have suggestions on the answer, I appreciate hearing it.

 
Posted : 24/08/2009 6:23 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I have found a Perl module that might be helpful…do you have a sample MSI file I could use for testing?

Thanks,

h

 
Posted : 24/08/2009 7:11 pm
(@pwakely)
Posts: 37
Eminent Member
 

There are a couple of tools (freely) available to look at MSI files

(1) Microsoft's own tool, Orca.exe, made available as part of the MS Windows SDK, or

(2) Insted from http//www.instedit.com/

Neither are forensic tools, both are for editing of MSI files and contents, but used on a copy of your file might help your examination. Insted is probably easier to grab, since Orca requires download of the (large) SDK from MS (though you may also find it elsewhere, I dont know).

Hope that helps,

Phil.

 
Posted : 24/08/2009 8:07 pm
(@walter127-0-0-1)
Posts: 8
Active Member
Topic starter
 

Phil,
Thanks for the info! I see lots of data with insted that I could not see with EnCase, FTK 1.x, or FTK 2.x. Now I'm really curious why EnCase and FTK does not display this info correctly. I suppose those apps just use a generic mounting method that doesn't really apply to msi files.

Harlan,
I don't see a way to attach the file here. I sent an email to keydet89@yahoo.com. I think that used to be your email address. I'm walter127.0.0.1@gmail.com. If you'd rather I send it another way, just let me know.

Walter

 
Posted : 26/08/2009 7:42 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Walter,

Phil,
Thanks for the info! I see lots of data with insted that I could not see with EnCase, FTK 1.x, or FTK 2.x. Now I'm really curious why EnCase and FTK does not display this info correctly. I suppose those apps just use a generic mounting method that doesn't really apply to msi files.

I think that the expectation in the community is that the big commercial suites do everything, even things that are not specifically listed in the feature set. What this usually leads to is the misconception that if EnCase doesn't do something (or do it correctly) that it can be done.

Harlan,
I don't see a way to attach the file here. I sent an email to keydet89@yahoo.com. I think that used to be your email address. I'm walter127.0.0.1@gmail.com. If you'd rather I send it another way, just let me know.

I received it and replied to you already. Thanks. I'm glad you found what you needed with the other tool.

 
Posted : 26/08/2009 8:26 pm
(@juju22)
Posts: 3
New Member
 

Another tool to extract content from MSI is "Less MSIérables"

http//blogs.pingpoet.com/overflow/archive/2005/06/02/2449.aspx

It uses WIX (Microsoft stuff in opensource) and could be used in command-line.

 
Posted : 28/08/2009 2:27 am
Share: