I have a .msi file that I have mounted inside EnCase. Just like when I mount Office Documents, I get to see what's inside.
There are several children inside the compound volume container.
I see names in English like "Summary Information"
I also see a bunch of names that are null glyphs [] (just a box). Usually this is a font issue. I'm using a unicode font. I've got all my language settings within windows set to allow all languages (asian, etc).
If you wanna play along at home, XP machines with patches should have this file. The MD5 Hash is f42dddd518b982cd2bdb0af7d5171359
How do I display these entry names correctly? Do they even have a name that can be displayed? Is this another example of Microsoft not using their own standards?
If any of you have had this issue… respond letting me know I'm not the only one. Maybe the smart kids will help if I get enough "oh yeah I've always wondered about that" responses.
I also see a bunch of names that are null glyphs [] (just a box).
This really doesn't help much. It's clear that you've looking at an MSI file as if you'd opened it in a hex editor, but I'm not sure how you're getting "names that are null glyphs".
I opened a couple of MSI files in a hex editor and I see boxes in the translated information where the hex is 7F or 8F…but that's just a byte and not a name.
Can you elaborate on what you're seeing? Most times when someone says "name", one would expect a string of characters, but "just a box" indicates perhaps a single byte.
Thanks,
When I say name, I mean the name column in EnCase where I mount the file. For example, if I mount a MS word file, I see the following tree
winword.doc
- Compound Volume
- Root Entry
- author
- subject
blah, blah blah.
The tree is just a way for EnCase to display information that can be determined by manually looking at the file in hex, or by viewing the properties within windows explorer. If I knew what I was looking at inside a mounted .msi file, I could use a hex editor and figure it out, but I don't know what I'm looking at, so it makes it difficult. Methedologies for dealing with stuff like this is appreciated.
What started all this for me was an issue I was having concerning how non-latin characters are displayed in EnCase. The case I'm working had some non-latin Characters that were not being displayed properly. I determined my issue was that EnCase was not using a Unicode font. That problem was solved after I read a CEIC presentation from 2008 talking about language display issues in EnCase. (https://
I don't think the names are characters that correspond to what EnCase uses to display a null glyph character. The listing shows "names" with character length varying from 3 to 8 characters. I could be wrong on this.
When I realized the file I am examining is actually part of the known good hash set that we use, I realized the information is probably not malicious. However, I am still interested in determining why the info is displayed the way that it is.
If you'd like any more information, lemme know. Thanks for the quick response.
Since you're using EnCase, wouldn't it be a good idea to get on the EnCase forums, and search for this? I mean, what version of EnCase are you using, etc…there's still a lot of information that could come into play here, so maybe you can find some answers if you search the forums.
Good luck.
I have searched the EnCase forums. Perhaps you noticed I cited the EnCase forums above. Lots of reasons to ask this question outside of the EnCase forums. A couple are
- I think Forensic Focus is a larger community, so I can reach a larger audience for an answer.
- The answer may be a third party utility, so a post here has a higher chance to provide an answer or workaround as opposed to a feature request that I'll have to wait months for.
If you have suggestions on the answer, I appreciate hearing it.
I have found a Perl module that might be helpful…do you have a sample MSI file I could use for testing?
Thanks,
h
There are a couple of tools (freely) available to look at MSI files
(1) Microsoft's own tool, Orca.exe, made available as part of the MS Windows SDK, or
(2) Insted from http//
Neither are forensic tools, both are for editing of MSI files and contents, but used on a copy of your file might help your examination. Insted is probably easier to grab, since Orca requires download of the (large) SDK from MS (though you may also find it elsewhere, I dont know).
Hope that helps,
Phil.
Phil,
Thanks for the info! I see lots of data with insted that I could not see with EnCase, FTK 1.x, or FTK 2.x. Now I'm really curious why EnCase and FTK does not display this info correctly. I suppose those apps just use a generic mounting method that doesn't really apply to msi files.
Harlan,
I don't see a way to attach the file here. I sent an email to keydet89@yahoo.com. I think that used to be your email address. I'm walter127.0.0.1@gmail.com. If you'd rather I send it another way, just let me know.
Walter
Walter,
Phil,
Thanks for the info! I see lots of data with insted that I could not see with EnCase, FTK 1.x, or FTK 2.x. Now I'm really curious why EnCase and FTK does not display this info correctly. I suppose those apps just use a generic mounting method that doesn't really apply to msi files.
I think that the expectation in the community is that the big commercial suites do everything, even things that are not specifically listed in the feature set. What this usually leads to is the misconception that if EnCase doesn't do something (or do it correctly) that it can be done.
Harlan,
I don't see a way to attach the file here. I sent an email to keydet89@yahoo.com. I think that used to be your email address. I'm walter127.0.0.1@gmail.com. If you'd rather I send it another way, just let me know.
I received it and replied to you already. Thanks. I'm glad you found what you needed with the other tool.
Another tool to extract content from MSI is "Less MSIérables"
http//
It uses WIX (Microsoft stuff in opensource) and could be used in command-line.