Notifications

Clear all

offer to assist in file deconstruction free of charge

xaberx · 2010-11-17T00:37:22Z

There are many files, that give people trouble to deconstruct and to analyze. I am willing to deconstruct these files for you and write an apparently that will generate the HTML and csv report.How it works send me 3 file samples of the file you cannot read , hexing out all sensitive info with all 7's etc be sure to tell me what type of data it contained of course.Benifit to you process a difficult file type free of charge and have a report and backup documentation of the structure to validate. An app will be created for you to deconstruct the file so only you see the sensitive info of the file.Benifit to myself increases the effectiveness of my forensic toolkit by adding more formats to read.Again I offfer to deconstruct files free of charge send me an email for further information.(Note I will not deconstruct the iPhone as I already have the mobilesync cache done)Ryan Manley Wise Forensics LLCryan.manley@wiseforensics.com

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by joachimm 15 years ago

17 Posts

9 Users

0 Reactions

1,158 Views

RSS

pbobby

(@pbobby)

Estimable Member

Joined: 16 years ago

Posts: 239

18/11/2010 7:54 am

I would be interested if you could parse out bcache22.bmc (the bitmap cache file used to support remote desktop sessions).

ReplyQuote

Patrick4n6

(@patrick4n6)

Honorable Member

Joined: 16 years ago

Posts: 650

18/11/2010 10:45 am

Interesting….The stickynote format is known as a Structred Storage format. the problem is with most viewers they do not show the fragmented deleted information still in the list. I will try to write a viewer to find this info.

The term used in the white paper that I presented last month at Techno Forensics is "Compound Document". http//en.wikipedia.org/wiki/Compound_document

You can view compound files with - CFX – Compound File Explorer www.coco.co.uk/developers/CFX.html

Remember of course that there can be file slack inside the .SNT file, and you can view that as easily as opening the file in a text editor, since the meaningful text is in Unicode, which will just look like spaced out text, and stickies are simply a method of storing text.

ReplyQuote

xaberx

(@xaberx)

Estimable Member

Joined: 17 years ago

Posts: 105

Topic starter 18/11/2010 11:26 am

I think Ill write my own app, will be a challenge but I think I can make it auto record the slack aswell. and @pbobby Ill take a look at that file structure next for you. 😉

ttyl time for bed here.
Ryan

ReplyQuote

Rich2005

(@rich2005)

Honorable Member

Joined: 19 years ago

Posts: 541

18/11/2010 3:51 pm

Cheers Ryan, much appreciated.

ReplyQuote

trewmte

(@trewmte)

Noble Member

Joined: 19 years ago

Posts: 1877

18/11/2010 4:02 pm

I have been watching this thread grow and it is amazing to see the generous nature of those offering help and apps, particularly xaberx. I am really very impressed. Well done guys and thank you for giving of your time and contributing.

ReplyQuote

xaberx

(@xaberx)

Estimable Member

Joined: 17 years ago

Posts: 105

Topic starter 19/11/2010 1:27 pm

just a status update on the Structured Storage file used in Sticky notes for windows…. and I must say this file system is very messy… so far i have the first 2221 bytes mapped out and identified that each sticky note has a unique ID and its own timestamps… I have located a great viewer to help verify what I have found thus far called SSview located at http//www.mitec.cz/

However this viewer cannot see deleted msg residue which is the reason I must do a hex deconstruction of the file and cannot use typical structure readers….. Shouldn't be too bad as I have a mapped the first portion of the file and will just need to make comparisons to determine the unknown values such as offset information and how to piece together the Meta data fragments.

ReplyQuote

joachimm

(@joachimm)

Estimable Member

Joined: 17 years ago

Posts: 181

19/11/2010 3:36 pm

xaberx FYI

Actually the sticky notes snt Structured Storage is an OLE Compound File.

The term Structured Storage seems to be used for different types of implementations.
http//msdn.microsoft.com/en-us/library/aa378734%28v=VS.85%29.aspx

Microsoft has an official specification of the OLE Compound File
http//download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/WindowsCompoundBinaryFileFormatSpecification.pdf

Also see http//www.forensicswiki.org/wiki/OLE_Compound_File

With olecfexport (pre alpha) I was able to extract the following streams

You might want to check the behaviour of the how the .snt is written, by the sticky notes application. If the file is entirely rewritten the deleted data is probably gone. If the file is accessed as originally intended it can still contain the deleted data and/or slack data.

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
264 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed