±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 5 Overall: 36115
New Yesterday: 4 Visitors: 150

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

ckm File Extension from 2009

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Kaly
Newbie
 

ckm File Extension from 2009

Post Posted: Oct 04, 19 19:00

I have an old case we are working on that has potential passwords saved inside of a file with a file extension of ckm. We've searched but could only find information from after the creation date on these files. Wondering if anyone here has heard of an old file that had a ckm extension, and if so, what is it? My other thought is that the suspect has changed the file extension on these files, but I have to locate the actual files still. I only have a spreadsheet that has them listed to know that they "exist". TIA  
 
  

jaclaz
Senior Member
 

Re: ckm File Extension from 2009

Post Posted: Oct 04, 19 19:31

Did you already exclude that it is a "known" file with a changed extension?
I.e. "file" on Linux and Trid on Windows? (or similar)
mark0.net/soft-trid-e.html

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Kaly
Newbie
 

Re: ckm File Extension from 2009

Post Posted: Oct 04, 19 19:32

No, because I don't actually have the files yet. I only have the file listing stating that these files exist.  
 
  

athulin
Senior Member
 

Re: ckm File Extension from 2009

Post Posted: Oct 05, 19 05:53

- Kaly
Wondering if anyone here has heard of an old file that had a ckm extension, and if so, what is it? My other thought is that the suspect has changed the file extension on these files, but I have to locate the actual files still.


First off, throw away any idea that file extension always is a 'tell' to what the file contains. It may provide a hint, but as software developers tend to use their own extensions with little or no regard to if anyone has ever used it before, you can't really say anything about some particular extension that has any reasonable degree of confidence. If you know the software platform, you may be more confident about some extensions (such as .EXE on Windows), but you probably need to check that it conforms to a file type the loader understand.

That is, if you're asked 'We found a file with .CKM extension and a possible password inside. DO you know what it is?' The only reasonable answer is 'No'.

You may have a list of software that is known to use such file ... but the answer is still 'no', because there surely far more out there that use that extension that's not on your list.

You didn't say what you tried before you posted ... so I may be repeating stuff you already attenpted.

Idea: Check registry on the system. It may be associated with a product.

Idea: Look through the NIST NSRL hashes for files that end in .ckm. While it may appear to be enough to check legacy hashes, don't skip the current ones. Then identify the relevant product for any hits.

Idea: If you have access to some kind of CD archive (there is one at archive.org that I haven't looked at for years), search for content with .ckm in file names. I have looked over my private collection (which is basically a lot of MSDN disks along with lots and lots of game CDs, magazine CDs, AOL CD's and similar stuff that normal people throw away), without finding anything.

I'm not sure if Bit9 still offer their fileadvisor product/service (they're Carbon Black nowadays). They collected file hashes from all over the internet, and usually had lots of stuff that never showed up elsewhere. It was usually possible to one or two searches for free. Again, haven't used it since their fileadvisor app stopped working.

Idea: Check over some really big FTP search engine . Mamont.ru? Or similar. They usually have lots of stuff. Some care is advised ... you may not want to connect from a office computer. I've never had any problem myself, but ...  
 
  

jaclaz
Senior Member
 

Re: ckm File Extension from 2009

Post Posted: Oct 05, 19 08:47

- Kaly
No, because I don't actually have the files yet. I only have the file listing stating that these files exist.


So, unless the file names are - say - mysecretpasswords.ckm and OMGmorepasswordshere.ckm the idea that they may contain passwords (or any other relevant data) is as valid as the one that it is just a normal text file with a changed extension, containing the Metterling lists:
www.nytimes.com/2007/1...fense.html

First list:

List No. 1

6 prs. shorts
4 undershirts
6 prs. blue socks
4 blue shirts
2 white shirts
6 handkerchiefs
No starch


Anyway, before 2009 .ckm was an extension used by some files for Microsoft MED-V client/server setup.
blogs.technet.microsof...ositories/


· .CKM Files – The .CKM (Compressed Kidaro Machine) files represent the packed images that have been deployed to the server. These are the images that have been linked to specific workspace policies for users. The image is packed first on a MED-V client running the MED-V management console and encrypted.


IF that is the case, the filename might end with "_1" or similar:
madvirtualizer.wordpre...n-lineage/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Kaly
Newbie
 

Re: ckm File Extension from 2009

Post Posted: Oct 07, 19 14:39

@jaclaz Thank you, that's very helpful!  
 

Page 1 of 1