lowmanio.co.uk title image

Articles with the category: Digital Forensics & Malware

I'm on Forensics Lunch!

Sun, 10 Jan 2016 03:39PM

Last week I got invited to take part in Forensic Lunch to talk about Foreman, my open source case management project!

Read full article

Microsoft Edge Forensics

Mon, 24 Aug 2015 05:23PM

With Windows 10 comes Microsoft Edge – the replacement for the much scorned Internet Explorer. Many articles are saying that Edge is better, faster and safer and compares to the likes of Google Chrome. But how does it store the user's web history?

Read full article

Malware Steganography

Sun, 12 Apr 2015 02:56PM

6 years ago (yikes!) I wrote about image steganography as a concept. At the moment there are a couple of pieces of malware that use steganography, such as Vawtrak (aka Neverquest) and ZeuS, to hide the command and control servers (C&C) or configuration files in images. This means that the malware does not need to contain a static list of C&Cs which will become old quickly, but can just download an innocent looking image from the internet; decode the hidden message and then connect out. The advantages are that the image can be refreshed with C&C data without having to recompile the malware; and the images can be hidden in plain sight; e.g. on legitimate message boards.

Read full article

Foreman case management framework

Sun, 13 Jul 2014 05:51PM

Introducing Foreman

Sat, 05 Jul 2014 12:35PM

In my second to last post I alluded to a talk I did at the CyberForensics conference. You can access the presentation here http://lowmanio.co.uk/share/OpenSourceForensicCaseManagementSlides.pdf

Read full article

CyberForensics Conference 2014 - Day 2

Sat, 05 Jul 2014 10:21AM

With 1 comment

Day 2 was just as good as day one, here are the highlights:

Read full article

CyberForensics Conference 2014 - Day 1

Mon, 23 Jun 2014 09:48PM

Today I attended and spoke at day one of two of the 4th Cybercrime, Security and Digital Forensics Conference 2014, held at Strathclyde University in Glasgow. My presentation was one an open source project I have been working away at for the last 3 or 4 months, and I'll do a more detailed update on that later in the week. I met a lot of lovely forensics and information security people & many PhD students, nice to do some networking with like minded people every once in a while!

Read full article

QR codes for evidence tracking

Fri, 11 Apr 2014 05:13PM

QR codes seem to be popping up everywhere now, from adverts & marketing campaigns to tracking and tickets. It’s easy to see why; they are easy to generate, have a high level of error-correction and the ability to encode quite a lot of data (the maximum being 4,296 alpha-numeric characters). Since most modern smart phones have the ability to decode them they present a much simpler way for people to get their information across – for example its much quicker and easier to scan a code on a house’s for-sale sign which links directly to the exact URL for that property, than to print the URL on the sign (for one it probably won’t fit, and secondly it’ll be the estate agents homepage and not the specific URL).

Read full article

Self deleting malware

Mon, 03 Mar 2014 09:56PM

Have you ever wondered how some malware variants are able to delete themselves? A malicious executable is launched on a machine, and once launched in memory, the executable vanishes. This makes malware analysis very hard if no memory dump was taken, as there is seemingly nothing there. We can however use other artefacts to confirm the running of a non-existent file, such as by looking at the Prefetch files, User Assist files and certain registry entries.

Read full article

Mini Forensics Challenge Answers: File headers & Footers

Wed, 30 Oct 2013 10:38AM

Thanks to everyone who emailed me in that they completed or had questions about the mini forensics challenge, I’m glad that someone out there reads this blog ;) Here are the answers below. I used Hex Editor Neo in the screenshots.

Read full article

Malware Analysis Training

Tue, 29 Oct 2013 11:28AM

Alternate Data Streams

Wed, 28 Aug 2013 08:43PM

Lots of apologies that I haven’t been blogging lately. I have recently got married, and as you can imagine that has taken up a lot of my time! I’m currently doing a course called the Certified Malware Investigator run by 7Safe, and one of the practical exercises in today’s session was on Alternate Data Streams (ADSs). I’ve been playing around with these and here is a quick summary!

Read full article

Mini Forensics Challenge: File headers & Footers

Sun, 17 Feb 2013 06:42PM

With 1 comment

Over the next wee while I am going to set some small forensic challenges for you to have a go at. The idea is that you don’t need expensive forensic software (i.e. EnCase!) to have a go; all of these are doable by hand using a hex/text editor. If you know how to do it manually, then you can explain what happens when EnCase or FTK do their magic and also be able to verify it.

Read full article

Open Source Intelligence Searches

Sun, 23 Dec 2012 05:28PM

In the context of investigations and forensics, “open source intelligence” is information collected from publicly available sources, such as newspapers and the internet. In a commercial forensics environment you may be asked to work out who is behind a certain anonymous identity; for example they might be posting secret company information on a blog or defaming the company’s reputation on a website forum. There are lots of free ways to help figure out people’s identities or gather more information about them.

Read full article

Why you need programming skills to be a good computer forensics investigator

Thu, 02 Aug 2012 06:36PM

(certainly in the commercial world anyway)

Read full article

Link Files Forensic Cheat Sheet

Fri, 20 Apr 2012 12:56PM

I have created a one page 'cheat sheet' for Windows link file analysis. The information comes mostly of the link file paper written by Harry Parsonage who has kindly allowed me to use his wording for the cheat sheet. I hope to make a series of these on different forensics topics so if anyone has any suggestions please get in touch or add a comment to this post.

Read full article

File tunnelling: weird creation timestamps

Sun, 25 Mar 2012 06:40PM

File tunnelling is a little known Windows capability that stems back from MSDOS days. In MSDOS, a ‘safe save’ was done by saving a copy of the modified data to a temp file, deleting the original and then renaming the temp file to the original name whilst also retaining the original files metadata. Windows NT also does this on FAT and NTFS to ensure that 16-bit applications can do a safe save, and this is called file tunnelling. This effects all Windows OSes including XP and Windows7.

Read full article

Windows Shellbags Forensics

Sat, 03 Mar 2012 03:48PM

UK Digital Forensics Conferences 2012

Sun, 05 Feb 2012 02:17PM

Last year I did a post with the symposiums and conferences I found relating to digital forensics for the coming year as I could not find an authoritative source. Here is the 2012 list. Please add any more conferences as a comment or email me and I'll add them in. I'm sure there will be at least one more entry from Napier Uni 's fantastic Cybercrime Symposium series!

Read full article

Unicode making malware easier

Sun, 16 Oct 2011 04:09PM

I recently discovered a wonderful unicode character that makes the following text reverse called right-to-left-override. For example: print "Hello[U+202E]World", produces the output: Hello dlroW. I'm not sure of what legitimate reason you would use the unicode character, but several blogs have warned that it can be used by malware writers to get people to click on files. Most people are wary that .exe files might be harmful, but extensions like JPG and other images are generally not. You can 'trick' a user into thinking a file is a JPG by using this special unicode character. If you named your malware executable ClickHer[U+202E]gpj.exe for example, you'd end up with a file called ClickHerexe.jpg.

Read full article

Windows cookies

Wed, 28 Sep 2011 05:43PM

Windows released a security update on the 9th August which means that cookies are no longer stored in the usual <username>@<service>.txt, but are now a random set of 8 alphanumeric characters, e.g. A1B2C3D4.txt. It seems this has broken a lot of software, especially those than delete cookies as they probably rely on the fact that cookies had a very conventional naming method. Old cookies stay the same as you can see from the below screen shot of my cookies folder.

Read full article

Next steps with Webscavator

Sun, 31 Jul 2011 07:06PM

Computer forensics conferences in the UK

Sun, 03 Jul 2011 11:35AM

I couldn't find a definitive list of conferences, symposiums or seminars relating to computer forensics / cybercrime / IT security in the UK and Ireland anywhere so I scoured the Internet to come up with this list below. I've tried to find the ones that repeat, i.e. are not one offs. Please write a comment with any I've missed!

Read full article

International Conference on Cybercrime, Security and Digital Forensics

Tue, 28 Jun 2011 08:48PM

Yesterday and today I was at the 1st International Conference on Cybercrime, Security and Digital Forensics held at Strathclyde University where I presented a paper I wrote based on my master's thesis on web history visualisations for forensic investigations. You can download the paper and my slides here, or contact the conference organiser for the whole conference book. The presentation went really well; I'm still a bit in shock as to how well actually..! A lecturer from Glasgow Uni was interested in using Webscavator as part of her Usable Security course, and a lecturer from the Australian University of Ballerat was keen to help extend the tool - and said the Australian police had heard of me and were possibly using it! Other people including lecturers from Abertay Uni and Cranfield Uni were also interested in using/helping extend it and both said I should do a PhD. Hmmm, a lot of think about!

Read full article

Internet proxy log analysis preprocessing

Sat, 28 May 2011 01:01PM

Proxy logs need a bit of work done to them before you can start analysing the content. This is of course assuming you don't have a fancy product to do all this work for you ;). First, you need to work out the regular expression that defines a line in the proxy log to parse it into a nicer format such as CSV. A lot of the CSV columns can probably be removed; the most useful columns are URL, date & time, user agent string (to work out what browser the user was using for example) and request status code (to work out if the user was able to access the content or if it was blocked, unavailable etc).

Read full article

Windows 7 Recycle Bin Forensics

Fri, 13 May 2011 12:33PM

When you look at your recycle bin folder, Windows shows you all the files you’ve deleted in a user friendly format – i.e. the name of the file you originally deleted and when it was deleted. The operating system does quite a bit of work for you, as the actual files within your recycle bin are not quite as user friendly. The recycle bin in Windows 7 is located at:

Read full article

Timezones in Python

Sun, 27 Feb 2011 06:56PM

One of the most important parts of digital forensics is working out when things happened. When did a file get last accessed or modified? When did a user access this website? What was happened yesterday at 4.30PM? This would be very easy if the entire world was based in UTC, or at least all operating systems and log files stored time in UTC in the same format. Instead, we have various mixtures of UTC and local time, stored in Windows time format (100 nanosecond intervals since Jan 1st 1601) or Unix epoch format (seconds since Jan 1st 1970), a plain string format or however each programming language decides to encode time. This is especially important when doing forensics for global companies where the investigation can be carried out on several computers spanning different timezones, and the investigator is in a different timezone too. Establishing a common timezone is imperative, so not to get lost with local times and correlating evidence. Even on the same machine this is difficult - the Windows registry is in UTC, but setupapi.log and other important log file are in localtime.

Read full article

Facebook Chat Forensics

Sun, 03 Oct 2010 05:54PM

With 3 comments

Many parts of Facebook such as chat, messaging and posting statuses are written in Javascript/AJAX. This requires a lot of calls to the server to constantly have the most up-to-date information. To speed things up, Facebook stores some of the AJAX data in temporary files on the person's computer. These files can contain valuable forensic data. In particular, Facebook stores some chat messages in individual files. I say some because caching may not be invoked if the person does not move away from the Facebook homepage at all.  However any movement to other Facebook pages should cause the caching.

Read full article

Visualising data: Search Terms

Sat, 21 Aug 2010 08:33PM

I've finally finished the first draft of my thesis, I now have a week and a few days to edit and finish it- which is plenty of time since I'm fairly happy with it as it stands.

Read full article

Visualising data: File Directories

Wed, 04 Aug 2010 10:53AM

Some index.dat files record not only websites visited, but also the files on the computer (and any other devices) which have been opened. This gives an accurate account of what files have been viewed and possibly edited. Using the registry, any files accessed that are not on the C: drive can be linked to a USB stick / DVD / CD etc.

Read full article

Visualising data: Heatmaps

Sat, 31 Jul 2010 07:17PM

I've nearly finished Webscavator, my visualisation application for the forensic analysis of user web history! The next series of blog posts will describe some of the visualisations I've used and how to code them. They are all written in server-side Python and client-side Javascript using jQuery. First on the list are heatmaps. These visualisations show the data using colour. For example low values go blue and higher values go red to visualise a temperature scale. A couple of examples can be found at heatmapapi.com, Google Visualization API and GraphUp. I found the Google Visualization API too limiting to work with for this particular visualisation, and GraphUp is not free or open source, so I made my own, described below.

Read full article

How Internet Explorer stores web history

Tue, 15 Jun 2010 04:52PM

Internet Explorer stores files downloaded from the internet in a cache called Temporary Internet Files (e.g. html pages, images, CSS files). Each cached file is assigned an alphanumeric cache name. Some index.dat files serve to map the cached name with the filename and URL it came from. Other index.dat files store the user’s cookies or web browser history (by default 20 days’ worth). index.dat files are in binary format, and need to be viewed using a hex editor.

Read full article

How Opera stores web history

Mon, 14 Jun 2010 03:12PM

Out of all the popular browsers, Opera leaves behind the least amount of useful information for investigators. Not only is the data stored in plain text format, but it does not record every URL visited, only the latest one. Therefore it is impossible to tell how often someone has visited a particular website. Even when viewing web history from within the browser only the latest entries are shown, giving a false impression of the actual history. For example if someone went to exactly the same websites two days in a row, the first day would have no history associated with it, since each entry would be overridden by the latest visit.

Read full article

How Safari stores web history

Fri, 11 Jun 2010 11:41AM

With 2 comments

Safari has a very simple method of storing browser history compared to those that use SQLite databases.

Read full article

How Google Chrome stores web history

Thu, 10 Jun 2010 03:45PM

With 2 comments

In 2008 Google released most of Chrome’s source code as a project called Chromium under a BSD license. Chromium is essentially the same browser as Chrome, but lacks built-in automatic updates and Google branding [Chromium Developer Website].

Read full article

How Firefox stores web history

Wed, 09 Jun 2010 06:05PM

Firefox version 3 (first released in 2008) employs a different system of storing browser history than its predecessor Firefox 2. Since only 2.75% of Firefox users still use version 2 or smaller, only Firefox version 3 will be explored here and will hence just been known as Firefox.

Read full article


Tue, 08 Jun 2010 05:17PM

So I started my thesis 'officially' yesterday, after being told we all were allowed to proceed to masters following the exam board meeting. No actual results posted up yet, but hopefully I did well!

Read full article

The Future of Encryption?

Tue, 19 Jan 2010 02:30PM

2 weeks ago I mentioned I was writing an essay on the Open Computer Forensics Architecture (OCFA). I gave up trying to get OCFA to work in the end as it was just a total pain. The documentation is awful, and the error messages it spews out are not useful. Steven spent a few hours looking at their source code to figure out why it kept segfaulting, but it wasn't worth it. I chose to do my essay on file encryption and full disk encryption (FDE) and the effect of these on digital forensics. You can read all 5000 words if you are interested.

Read full article

FireFox usage

Mon, 16 Nov 2009 03:56PM

Great little tool on FirefoxForensics to do the same sort of thing as with IE. Firefox stores its cache of URLs etc in sqlite databases, which can be found in this folder:

Read full article

Internet Explorer usage

Mon, 16 Nov 2009 02:47PM

With 3 comments

For one of my labs this week we had to browse a few websites using IE and then using an Internet Explorer analysis tool find out as much info as possible about what we looked at. IE logs all browser activity in index.dat files. The data stored includes the URL, data and time of last modification and access and the user.

Read full article

Image Steganography

Sun, 01 Nov 2009 01:33PM

With 1 comment

Steganography is the art of hiding something in something else in plain sight. Usually images or text are hidden within other images or sound files. For example, in the image below of trees there is an image of a cat hidden inside it. Wikipedia explains that for each component of each RGB value, if you take just the last 2 bits of it and then turn the brightness up 85%, you get a picture of the cat. The whole point is so the image of the trees looks identical to an image of the trees without an image hidden inside to the human eye.

Read full article


Fri, 30 Oct 2009 11:45AM

Most Windows XP users aren't aware of the Thumbs.db file that sits in every folder that contains at least one image, because it is a hidden file that by default is not shown. By going to any folder in explorer and going to Tools > Folder Options > View and choosing 'show hidden files and folders' suddenly Thumbs.db files appear everywhere.

Read full article