offer to assist in ...
 
Notifications
Clear all

offer to assist in file deconstruction free of charge

17 Posts
9 Users
0 Reactions
1,157 Views
(@xaberx)
Estimable Member
Joined: 17 years ago
Posts: 105
Topic starter  

There are many files, that give people trouble to deconstruct and to analyze. I am willing to deconstruct these files for you and write an apparently that will generate the HTML and csv report.

How it works send me 3 file samples of the file you cannot read , hexing out all sensitive info with all 7's etc be sure to tell me what type of data it contained of course.

Benifit to you process a difficult file type free of charge and have a report and backup documentation of the structure to validate. An app will be created for you to deconstruct the file so only you see the sensitive info of the file.

Benifit to myself increases the effectiveness of my forensic toolkit by adding more formats to read.

Again I offfer to deconstruct files free of charge send me an email for further information.
(Note I will not deconstruct the iPhone as I already have the mobilesync cache done)

Ryan Manley
Wise Forensics LLC
ryan.manley@wiseforensics.com


   
Quote
s1lang
(@s1lang)
Trusted Member
Joined: 17 years ago
Posts: 98
 

That is a very kind offer.
Thank you


   
ReplyQuote
(@joe_bowman)
Active Member
Joined: 17 years ago
Posts: 11
 

On the face of it, this sounds like a very good offer and I can see the potential benefits from both sides. But to play the devil's advocate for just one second, I pose the following

If I don't know the structure of the file, how can I be sure I have hex'd out all the confidential data? For example, if there is some data that is encoded, that I don't see from first glance exists.

In this instance surely passing the file across to yourself is leaving me open to a minefield of breached contracts / MOU / legal obligations etc.

Your thoughts?


   
ReplyQuote
(@xaberx)
Estimable Member
Joined: 17 years ago
Posts: 105
Topic starter  

I would be willing to sign a Non-Disclosure agreement if it would ease your mind. After all I would be taking on the role of a Free consultant. I would deconstruct the file, send you structure information and a small app that would deconstruct any remaining files you might have. My offer is free, both sides benefit. My company was founded on creating tools alongside LE that would help in their cases. I will do the best I can to help with these difficult files and will address concerns as they come.

Thanks for being a Devils Advocate 😉

Ryan


   
ReplyQuote
(@rich2005)
Honorable Member
Joined: 19 years ago
Posts: 541
 

I dont suppose you've taken a look at StickyNotes.snt files have you Ryan? (windows 7 stickynotes app's data file)
Reason i ask is i've just cropped up with one on a case and i'm trying to work out how to extract the info from it, haven't found any docs on its format as yet. (much of the info is viewable (RTF / unicode text blocks) - but broken up by the structure, whatever it is).
I'd prolly find it harder to reliably redact the file before sending to you, than it would be for you to generate them yourself. If you type a stickynote then look in your "C\Users\<username>\AppData\Roaming\Microsoft\Sticky Notes" folder you should find the file which stores the contents of stuff you type in sticky notes.
Worth an ask 😉


   
ReplyQuote
(@xaberx)
Estimable Member
Joined: 17 years ago
Posts: 105
Topic starter  

Just from an initial look it appears that new entries are put on top, and the file has older entries towards the bottom. this is kinda backwards compared to other database formats…Ill see if I can deconstruct this, I think the file must be read from bottom to top, so will be kinda fun to deconstruct.(I am running windows 7 atm so I hope it will be consistent with Vista notes)

also new entries will be written on top of older deleted postit notes. which makes a simple text based approach impossible, this will have to be done by reading the byte structure of the file which I can do without issue.

thus far I have found a timestamps at the beginning of the file that represents the last time the file was written, note that every time u click the sticky note it writes to the file… offset for this time stamp is 1132-1140 and appears to be in Little Endian. Working on the starting point in time for the time stamp.

Update
11/17/2010
-The Time is stored in Ticks since 01/01/1601 UTC
(will write a converter for this)
- Each entry contains 2 defined timestamps and possibly a 3rd for if the sticky is deleted.

Structure Thusfar
-Every time the Note Gains focus it writes it to the sticky note file.

Byte Layout
0 - 1131 = Seemingly Useless thusfar
1132-1140 = Timestamps in Ticks since 01/01/1601 UTC and in LE form


   
ReplyQuote
binarybod
(@binarybod)
Reputable Member
Joined: 17 years ago
Posts: 272
 

-The Time is stored in Ticks since 01/01/1601 UTC
(will write a converter for this)

I've done it - try TimeLord it's free )
http//computerforensics.parsonage.co.uk/timelord/timelord.htm

If you need C or C# code for the conversion from little or big endian then by all means, PM me, why reinvent the wheel?

Paul


   
ReplyQuote
(@xaberx)
Estimable Member
Joined: 17 years ago
Posts: 105
Topic starter  

-The Time is stored in Ticks since 01/01/1601 UTC
(will write a converter for this)

I've done it - try TimeLord it's free )
http//computerforensics.parsonage.co.uk/timelord/timelord.htm

If you need C or C# code for the conversion from little or big endian then by all means, PM me, why reinvent the wheel?

Paul

lol didnt reinvent the wheel just used the built in Date/Time Features of Visual Studio, so that parts done 😉 thanks anyway though for the offer.


   
ReplyQuote
binarybod
(@binarybod)
Reputable Member
Joined: 17 years ago
Posts: 272
 

just used the built in Date/Time Features of Visual Studio, so that parts done 😉 thanks anyway though for the offer.

Just to subvert the thread for a moment…

It amazes me that the .NET framework used classes that properly interpreted timezones and had a wealth of time conversion functions since it's inception (version 1). The NTFS and FAT drivers though were not doing the job properly and as far as I am aware are still producing buggy time stamps - for shame Microsoft - sort it out!

Paul


   
ReplyQuote
(@xaberx)
Estimable Member
Joined: 17 years ago
Posts: 105
Topic starter  

Interesting….The stickynote format is known as a Structred Storage format. the problem is with most viewers they do not show the fragmented deleted information still in the list. I will try to write a viewer to find this info.


   
ReplyQuote
Page 1 / 2
Share: