Presenter: Rob Schroader, Paraben Corporation
Rob Schroader: Hello, and welcome to the Forensic Focus webinar Computer Investigations Using P2 Commander – From Targeted Triage, to Mobile Data, to Full Examinations. My name is Rob Schroader, and I’m going to be your presenter today. I am the CEO of Paraben Corporation, and if you need to get a hold of me for any reason, if you have any questions or concerns, you can reach me at firstname.lastname@example.org.
So in this webinar, we’re going to focus on using P2C for data analysis and data triage. We’ll use Deployable P2 Commander, or DP2C, for targeted collections, use P2C to examine that collected data, and use P2C to do triage of complete hard-drive images, as well as targeting the email, internet data, and illicit image detection.
P2C does have the capability of doing full, comprehensive forensic examinations, including indexing and sorting. It utilizes recursive features – and then I’ll talk about the pros and cons of recursive analysis. It utilizes multi-threading, so you can really maximize the processing power of your computer. Also, we’ll show you investigating data while processing the data – so your comprehensive examination can still incorporate triage features. We’ll talk about keyword index searches versus comprehensive searches, and we’ll show you some tips and tricks about exporting the evidence and exporting email that can save you a lot of time.
We will also cover mobile backups and DS case files, so if you require mobile evidence using device seizure, we’ll show you how to load those cases into P2C, and I’ll show you the advantages of analyzing mobile data using P2C over device seizure.
Let’s talk a little bit about the upcoming release of P2C 4. P2C 4 is a major release of P2 Commander. It will have an entirely new interface, that interface will be modern and familiar. If you use Windows-based products, you will really like the changes in the interface. We will be adding Exchange 2013 support, we will also be adding support for Xbox 360. This will allow you to take full images of Xbox 360 systems, or it’ll allow you to take logical acquisitions of data from Xbox systems that don’t support full imaging. You’ll be able to analyze that data using P2 Commander. We’ve also added SQLite viewers, and the ability to add iOS backup files directly into P2C 4 without acquiring that into device seizure first.
So let’s jump right into it. The first thing I want to talk about is targeted data collections using DP2C. This is the interface of Deployable P2 Commander. Deployable P2 Commander is included now with P2C 4. This will allow you to target collections on Windows-based systems in both a forensic or a non-forensic mode. In a forensic mode, the DP2C thumb drive that you plug into this system will be booted directly into the thumb drive. That will leave no trace on the hard drive, and you will be able to collect data in a completely forensic manner.
On a live system, if you want to plug in the DP2C thumb drive and run DP2C on a live system, the only traces you’ll see are the registry entries for plugging in a USB drive into the system. Then you can target what type of data you want to get. A quick scan is going to use a triage feature, reading the registry data to acquire specific types of data. If you do a quick scan, it will scan through quickly, using registry information for email databases, chat databases, browser data, My Documents folders and recently used files.
Now, with anything that is using the registry as a method to find data on a hard drive, you are not going to have a comprehensive and exhaustive search. Therefore, the email databases and chat databases browser data that is found is based off of installed programs. So if you have installed Outlook and, subsequently, PST files with that, this is what it’s going to find. If you do not have Outlook installed, but the system happens to have PST files on it, it is not going to find it, because it is not doing a comprehensive scan for file headers.
Once you’ve found the data, you can go ahead and acquire it to the target drive here. You will have to define your evidence drive, and acquire the data to that. Now, if we go ahead and want to do a custom scan, you can see over here in the categories, we have a lot of different categories, including compressed data, databases, documents, email executables, graphics, multimedia spreadsheets, text documents and XML documents. Once you determine what you want to scan for and what drives you’re scanning in, you can define where you’re going to acquire that data to, and target your collection based on the file type.
Now, this is going to be a comprehensive exam, it is going to go on file headers. You can also choose to scan the deleted data, as you see here, so it’s going to take much longer to target this type of data and acquire it, but it will be more comprehensive. And that is one of the natures of data triage, is the faster you do your data collection and data triage, the more chance that you’re going to have of missing some data, and it’s not going to be as comprehensive.
So let’s go ahead, and move on over to P2 Commander. Once you’ve acquired the data using the Deployable P2 Commander, we can load that data into P2 Commander. Now, P2 Commander also allows you to load all sorts of other types of acquired data, whether it’s email databases, whether it’s full forensic images. So it doesn’t matter at this point what type of data we load into P2 Commander.
So what I’m going to do is I’m going to load in a full image of a hard drive, and show you the data triage techniques as well as the full, comprehensive analysis techniques that are available within P2 Commander.
The first thing we do when we load in P2 Commander is we create a new case. We can choose the case name. And at this time, I can choose to enter in the investigative information, or I can leave it blank. This can be added to the report when we’re done and ready to make a report.
Now, we’ve created a case file. P2 Commander does use a case file that is database-driven. There is no extra database that you have to install – it is all easily installed on one system. You don’t have to have separate hard drives or anything like that. P2 Commander does have the power behind a backend database without the hassle of some of the larger database programs you might have to install.
Once we have our case file created, we can add in our evidence. Now, if I had done a data collection using deployable P2 Commander, I would choose Paraben tools, and I would load in the forensic container that was created during that collection. With this example, I’m going to load in a DD image that was collected using Forensic Replicator. And I’m going to choose auto-detect. P2 Commander is al lot smarter than I am, so I may think that I have an NTFS partition, but it might end up being a FAT partition. I’m not going to guess on that. I’m going to let P2 Commander choose and auto-detect what format it is, and I am going to navigate to my evidence file.
By default it’s going to just have the first evidence note as the file name, and once it adds this evidence, the first thing it’s going to do is it’s going to want to start to process this evidence with a sort and an index for keywords. So this is a full-text index. So let’s talk about this before we go on to do the data triage. This will allow us to have the program really start to process all this data in the background while we initiate our triage.
First thing I want to talk about is recursive sorting and keyword indexing. Recursive options are some of the most powerful options within P2 Commander. This means that as you process this forensic image, if it runs across other disc images, email databases, internet browser data, registry data, chat databases, archives such as zip or 7z, or even OLE storages, it will recursively go through there and parse out that data as well. So all of the attachments within the email database will be sorted and keyword indexed as well.
We can have some time-saving things in here as well. I like to include files of undetected format. So anything that it doesn’t recognize as a standard program file, document or an image or something like that, it’s going to dump into its own category so I can look and see what might be in there. It’s going to calculate hash codes for drives and partitions. You can save a little time, if you’re not concerned with that, by un-checking that. And then recovering deleted data – P2 Commander does have data carvers that are automated within this process. So if you’re not concerned about deleted data, you can save some time by un-checking that. I like to generally do the same things in my examination, so I will check ‘Save current wizard options’.
Next, I have things like skipping MSI installations, CHM help files, and CAB archives, because those are generally associated with installed programs, and it will save a lot of time if I skip that. Also, skipping unknown OLE streams will save a lot of time.
Next is the image analyzer or illicit image detection options. If you’re not concerned about pornographic images, then you can un-check that, and again, that’ll save some time in your processing. You can increase or decrease your sensitivity, which will increase or decrease the amounts of false positives you have. I always use a resolution filter because I’m not concerned about icon-size images in pornography. So I at least have my settings set at 65 pixels by 65 pixels, to not scan that size image for pornography.
And I go ahead and hit ‘Finished’. So let’s talk a little bit the interface here, of P2 Commander suite we’re looking at. The Case Explorer is going to be your Windows Explorer style, tree view of the data that you’ve got in your case. Down here we have the properties. As you can see right now, the only properties displaying are the case properties. Down here we have our tasks, and we will have file viewers down here if we select a file that is compatible and that has a file viewer built into it.
So let’s talk a little bit about the tasks. Right now we have a running task. Depending on the number of open processes that I have on my system – so if I have a multi-core processor – I can have the same number of processes running, and this is where P2 Commander’s multi-threading capabilities come in really handy.
The multi-threading capabilities allow you to start separate tasks without using the processing power of the original tasks that you have going or the other consecutive tasks. So with this system, it’s a quad-core, and I can come up with my options here, and I can choose the cores that are simultaneously… tasks that I can have running at one time. So I can increase this up to four simultaneous tasks, that will use one core for each task that I’ve got running, whether that’s an export, sort and index, searching, reporting, or file content counting.
One of the things you’re going to want to make sure is that you go into your config file within Windows, and make sure that you have that set to run as many processes as you want in there. By default, Windows will not allow one single program to access more than one core at a time. So you have to change that in your Windows settings. If you have any questions on that, feel free to email me, or you can usually look that up on YouTube and very easily find out how to change that setting within Windows.
Over here, we have our case management tabs, so as I do different tasks, I can easily switch between them. So if I want to jump back to the Welcome page, I can do that. So let’s go ahead and start looking at the data that we’ve got loaded here. You can see that I’ve got the evidence loaded. If I add more evidence, say email or other images, maybe I’ve got thumb drives that were associated with this system, I could load those in separately.
And you can see here I’ve got my Partition Parser, and I have one partition. As soon as I click on that, it starts to process this, and sees that it’s an NTFS partition, and it asks me for difference settings, such as searching deleted files and folders, adding the trash folder to the NTFS [root], and recovering folder structures for bad images. It also allows me to add the unallocated space folder to the NTFS [root]. This is very convenient if you want to look at all of your unallocated space in one location and do some manual data carving yourself.
So I’m going to leave those selected, and then I can continue to drill down, and you can see I’ve got my root of the drive here, I’ve got the trash, I’ve got my unallocated space. If I want to start to process for deleted data, I can just start expanding that, and it’s going to go through and start doing the automatic data carving for known file types. I can even close that, and it’s going to continue to run in the background. Now, as I expand the root here, it’s going to process that, and this is going to look surprisingly like a root folder of a Windows system, an NTFS Windows system. So it’s going to take a moment for it to process and start showing that data, but you can see I’ve got my Documents and Settings folders, Drivers, Program Files, and Windows.
So at this point, now that I’ve got P2 Commander running a sort and index, I can do a couple of different things. I like to, personally, do a comprehensive search at the same time. This will run a separate process, it will not slow down my sort and index, and the comprehensive search is going to be more comprehensive, although it’ll take longer than a keyword and index search. So let’s go over that real quick before we jump at our data triage.
As I click on the search button, and I have the top-level node of my evidence here selected, it’s going to start this search from this level on down. If I had one of these files selected, these folders, it would only search from that level on down. So be careful, as you initiate things like searches and exports, what you have selected over here in the Case Explorer, because that’s where it’s going to initiate that command from.
So I’m going have my search from the Partition Parser up here, and we have options for text search and hex searching, we have Boolean searches, regular or grep expression searches, and simple searches. Now, as I select regular expressions, you’ll notice that over here I have the template option. P2 Commander has dozens of built-in templates for grep expressions that I can customize for my case here. Everything from IP addresses and URLs to phone numbers by country, personal identifiers such as credit card numbers, VIN numbers etc, time, dates, emails, others, and the ability for you to create your own. So this is a handy little thing for your comprehensive searching.
So for this file here, I also have the option to search in different areas. Now, as I collect recursive searching – again, this recursive option is very powerful, because if I don’t have these selected, when it runs across these different type so files, it’s not going to be able to search through those unless I have the recursive option selected. And because I like very comprehensive searching in this, I’m going to select them all. You’ll notice that I have a bunch more tabs pop up here. In File System Data I can choose anything from where it’s going to search to date-time filters. E-mail Databases, the same thing – I can search in different areas of the email and add a date-time filter. Chat databases I can search by screen name or date-time filter. Internet browser history – if I’m not concerned with things that are hit only one time, or visit counts, I can increase that, or I can do a date-time filter. And then within the registry data, I can search for keys, values, and value data.
So once I’ve got that selected, I can either type in my search term, I can choose a load word file from a text file, I can choose to match cases or whole words, I can choose the language that I’m going to search in – if I want to search in a different language, I can move that on over. I can also change the codec. So if I need to have extra codecs in my search, I can do that as well. Once I have that all selected, I can either hit return, or I can hit my Start button, and it’s going to start searching through the data. Now, you can see down here that that’s queuing up until the program says, “Alright, I’m going to move that on over to the running tasks,” I’ve got my search running, and I’m utilizing a separate process, and it is not slowing down my sort and keyword index.
Now, if I were to queue up more than the four available running tasks that I have, it’ll queue up and stay in the queue folder over here until a running task is complete, and that moves on over to the completed folder here. So now that I’ve got the program really processing through my data and doing its magic, I’m going to go ahead and jump right into my data triage.
Now, whether I take a data triage collection from Deployable P2 Commander or I utilize this data triage function here within P2 Commander, it’s going to be very similar. Within the DP2C you can see that I’ve collected things like email databases and My Documents folders, recently used files. You can see here that this particular drive did not have any internet data or chat archives that were installed to be able to be processed through the data triage.
So if I wanted to expand this, then I can see here in the email databases, I’ve got an Outlook Express email database here, I can double-click on that. And it’s going to think for a second, and then I can go ahead and expand that, and start to look immediately at the email within this. So as I select the individual emails, you can see down here, my email data viewer, or file viewer, I can do anything from look at the headers to see the text representation to HTML to the raw HTML of the email.
If I want to initiate a search, since I do have open tasks that are running, and am doing a data triage, and I might want to see very quick results from my search results, I can right-click and hit ‘Search’, and I can initiate a search for my keywords, specifically for this email database, and have results much faster than my overall comprehensive search.
So that’s one way you can really perform data triage very quickly and easily, and get results back almost immediately. So I’m going to go ahead and cancel that out, and start to expand some of these other things. I can look at the My Documents folders, see that there’s an administrator account and the standard XPM user. I can look at the recently used files, then I can expand and start looking at more information that is being parsed out from the registry. You can see that this is an XP system, I can look at auto-run information, OS information, including the product ID. And you can see that this is a Windows XP mode virtual machine.
And then I can start looking at these different things from the registry, whether I want to look at this shell data, if I want to look at installed programs, services, known DLLs, USB storages, I can quickly go in there and see what USB drives have been attached to this system. And then I can continue on, and go down, and look at the users. And from the user list, I can see things such as typed URLs, Run folder, ACMru, RunMRU recent documents for each user. So you can see here the typed URLs, even if they’ve deleted their history. I’m going to see that for each user, and the different URLs that have been typed by the users. So that’s another way that I can do data triages – I can focus on any one of these types of data, and really look into it.
Now, I’m going to go ahead and stop the task here for searching and sort, so I can show you what is it going to look like here, as we click on the other tabs here, we can look at the sorted files, and as it starts to add data to the sorted files, we can look at the image analyzer results. And that’s going to even sort deleted, recovered data, based off of the different categories.
We’ll also have full hash database management. So if I want to take the nest database here, and I want to manage that, I can add my own hash databases. I can come back over here to the sorted files search, and I can say I want to run a query, and I can choose my hash database to say I want to filter out, and all my denied files, all my matching denied files, so in my sorted files, it’s only going to display files that are not known files. I can run that query and it’s going to filter that out. If I have a database, say, of maybe illegal images, I can put that in the accepted databases, and I can include that in my query, in my filter, and I can filter out by that as well.
Let’s talk a little bit about bookmarks. Bookmarks are pretty standard. If I run across data in my analysis here – say this is of importance to me, and I want to add the bookmark, I can add a bookmark that’s going to show the internal path, and you’ll notice this is an internal path for the P2 Commander file format, it is not the path to the source. The source path is here. So if you move your evidence after you’ve loaded it into your case, you will need to re-link that to the source. But if you ever want to record a bunch of paths because those files are important to you, you can copy those over after you’ve created your bookmark. You can even organize your bookmarks based off of, say, registry data, images, etc. You can choose to store those bookmarks in these different locations.
If I want to… say, I’ve accidentally closed that down and I want to navigate to that, I can navigate to that by copy-and-pasting that, and you can see I can easily come back to that. So that’s the internal path.
Another thing you can do – you can checkmark evidence that is important to you, and you can utilize either checkmarks or bookmarks, or a combination of the checkmarks and bookmarks in your reporting. So that’s how you can include data into your report, that’s how you can utilize bookmarks.
Let’s talk a little bit about exporting. As I mentioned earlier, there’s a way that you can export email that will save you a lot of time, in your case if you’re only concentrating on email. A lot of examiners do use P2 Commander exclusively for email. It will be their triage tool or their comprehensive tool for examining email when they run across it in a case.
So you’ll notice here, if I want to export data, and I have data selected, and I hit export, it’s going to allow me to export that to a folder or to a forensic container, and I can easily export that out. However, if I have email data selected, and I select ‘Export’ or I select it here, it’s going to detect that this is email, and it’s going to pop up an email wizard.
Now, to save time, rather than… if I do just have email and I’m only examining email, I can either use the batch export wizard, or I can load that email in as email evidence, and then select the ‘Export’ before I run my search and before I run my filter. I can do that because I can do those things right now, as I’m exporting this out. If I only want to select specific folders within this email archive, I can choose to narrow my export down to specific folders. Then I choose which type of output that I want – do I want to export it to EML, EMX, MHT, MSG format, PST, or attachments only. PST is very common, I can export it to that.
Let’s go ahead and choose where I want to export it to. I’m going to export it to my desktop. Next, I’m going to choose whether or not I want to include attachments. If I’m exporting from, say, a large network email archive, I might want to limit the results, because PST files has a limitation of 20 gigs right now for file size. So I can’t export more than that, or else it’ll not be able to be loaded into anything. Or if I do [limit] the size, I can choose other options as well. Filters – I can choose here to use filters. This will include regular Boolean expressions. So I can choose to filter out by the search results. So if I only want to export hits for my search results, I can do that here. And I’m going to have the same options for load words, whole versus… and matching case, whole words and matching case, the codecs and the locale that I can choose. I can choose the hex search, the scope of where I’m going to search, as well as adding a date-time filter. So if I have restrictions on a specific time period that I can search in, I can add that all right now, export it, and I can include that all in one step. So that’s a really simple way for you to do a lot of work in one wizard here, and let the program P2C really do all your work for you, and export your results into PST files.
So that’s exporting. Now we’ve covered exporting, we’ve covered searching, let’s go ahead and… since I have paused the keyword index here, I’m going to go ahead and actually stop it. This should allow me… it may or may not allow me. Let me see if it’s going to allow me to do a keyword search. Since I stopped that, it doesn’t look like the keyword indexing completed here, so it’s not going to allow me to do a keyword search. But quickly, a keyword search versus a full index search. The keyword search is going to use that keyword database of recognized files to be able to do a quick search. You’re not going to have all of the recursive options in this option, in the keyword index search, since it is only using that keyword index database to do your searching. But however, the search results are going to be very, very quick. It’s going to take a matter of minutes versus a matter of many, several hours, and possibly days, depending on the size of your image file there.
So before we move on to reporting, let’s go ahead and take a look here quickly at some of the search results here. With the search results, we have some different options. We can expand and see the different hits within the one file. We have two hits within one place in this top one. In this one we have eight hits in one place. And if I double-click on that, it’s going to take me exactly to where that hit is in the text view of that binary data. So each hit that I’ve got, I can double-click on it, and it’s going to take me to that specific hit within that file. If I want to run a search result report, I can right-click and I can save the results to XML, or I can export those results to a file. This is going to export every file that I have within the search results to a folder or forensic container. So those are some very convenient reports that you can have.
Let’s talk a little bit more about the general properties down here. As I’ve selected a file, you can see all the different properties that are displayed. And then, I can go ahead and, if I have things, extended properties such as EXIF data, I can view that as well down here.
So once I’ve gone through my case, I’ve done my data triage, I’ve done my comprehensive analysis, and I’ve done all my search results, I’m going to want to do a report. So I can generate a report, and I’m going to suggest that everybody that uses P2 Commander, whether it’s for a quick data triage, whether it’s for a targeted email analysis, whatever it may be for, go through and generate a report for each type of report, whether it’s the HTML Investigative Report, which is going to be your more comprehensive report, your Simple Text Report, your comma-delimited text report, or your HTML Evidence Summary Report, go ahead and do that. We do have samples here, so if you click on a sample, it’s going to pop that up, and you can see what that’s going to look like. You can see… as this loads here – it’s going to take a second.
While that’s running, I’m going to go ahead and click on… well, let’s go ahead and show you this.
Investigative Report, HTML, looks kind of nice compared to, let’s say, Simple Text Report. Simple Text Reports are not nearly as pretty, but you can see those. Once we have the type of report that we want, go through the wizard, and again, don’t just click on the ‘Next’ buttons for wizards. A lot of the power behind P2 Commander is behind the wizards here. So if I didn’t enter in my information here that I want in the header of my report, I can do it now.
Bookmarks – this is going to be whether or not I want to include all bookmarks, or if I don’t want to include any bookmarks, or only if I want to include the bookmarks that both have, the bookmarked and the checked data. So depending on how you utilize bookmarks throughout your investigation, this is what you… how it is determined whether or not it’ll be displayed in your report.
Same thing with file system data – one that runs across file system data for your report – do you want to include only data that’s checked as ‘Include in reports’ or do you want to include all file system data or do not include it at all. You’ll have your options for properties for file system data, [sorted] files. Again, if you’ve gone through your sorted files and you’ve checked files that you want to include in your report, you can include only that data that’s checked in the report, or you can choose not to include those sort of files at all.
With the logs and supplementary data, we can use the case history, as P2 Commander does, [each] case it does record an entire case history. You can also export case history to a file and add a link to it. You can add subsequent files – so if you have other files that are pertinent to your case, whether it’s maybe physical image or images, photos of a crime scene, whether it’s supporting documents, you can add those to your case report as well. Then you hit ‘Finish’ and your case is completed.
So that completes the data triage analysis as well as comprehensive analysis using P2 Commander. Look for the version four of P2 C to come out in the first quarter of 2015. As I mentioned, it’s a major, major update. We are very excited to have this come out. We will be allowing people that are viewing this webinar to get a full, free, 30-day license of P2C4. So you can either click on the ads within Forensic Focus, you can email me at email@example.com, or you can visit paraben.com and look for the P2C challenge to request a free, 30-day, full-license version of P2 Commander.
Thank you for joining me today, and again, if you have any questions, please visit us at www.paraben.com.
End of Transcript