Digital Forensics Tips

I’ve recently been working on a presentation I’ll be giving in a few weeks on the topic of memory forensics. I’ve learned a ton while working on it and the old adage of “The best way to understand something is to teach in to others” has proven extremely beneficial to me. One of the topics that required me to do some digging was on the subject of memory analysis as it relates to TrueCrypt. A few years ago I was asked to examine a system within an extremely short time frame. I looked at the software installed on the system and saw TrueCrypt. I didn’t know a ton back then but I knew enough to know that there was nothing quick about dealing with TrueCrypt. I’m writing the post that I wish I would have had on that day a few years back. If you see TrueCrypt installed on a system and aren’t quite sure what to do with that bit of information, hopefully this quick overview and some of the resources I’ll mention help. I’m not going to cover using artifacts like prefetch files to determine if Tru...

I recently encountered a Rand McNally Intelliroute TND 720 GPS unit and none of the commercial forensic tools had the ability to acquire data from the device so I imaged the device and poked around for any interesting data files. I found a file called DestHistory.txt which obviously peaked my interested. I opened the file in notepad and while it contained a lot of unusual characters it also contained multiple recent destinations sandwiched in between those characters. I wrote a small python script which takes the contents of the DestHistory.txt and parses it into both a HTML report and a KML file which can be opened in Google Earth. The tool is called rmparse and can be download here . The project was fairly straight forward. The only hiccup was that the DestHistory.txt is in Unicode format so when my script parsed the file there was a null between every character. I tried a standard B = A.replace( “ “, “”) command but had no luck. I ended up using a B = A.replace(“\x00”, “”) command a...