Archive for September 2012

VSC Toolset Update: File Recovery

I’ve recently added an important functionality that has been missing from VSC Toolset: the ability to systematically extract files from shadow copies.  You can now do this with VSC Toolset either by utilizing the “Copy” command from the main window or via browsing the directory structure of a shadow copy and utilizing the context menu option.

When browsing an individual shadow copy, you can easily verify the location of the files or folders you wish to copy and extract them accordingly.  To extract files in this manner, simply navigate to the folder of interest, highlight the files or folders you wish to extract, and select “Copy” from the right-click context menu.  You will be prompted to select a location to save the data, then a small status window will appear while the data is being extracted (see screenshot below).  The downside to this approach is that you must copy the files of interest from each shadow copy individually.  To alleviate this problem, the option to copy a selected file or folder from multiple shadow copies in a single operation is available from the main window of VSC Toolset.

Copying Files via VSC Browser Context Menu

By utilizing the Copy command from the main VSC Toolset window, you can extract a file or folder from multiple shadow copies in a batch processing manner.  It’s as simple as selecting the shadow copies from which to extract the file or folder, inputting the path (or browsing to it using the Browse button), and clicking the Run Command button.  It’s important that the path to the file or folder of interest be the full path on the drive containing the VSCs.  For example, if the image containing the shadow copies is mounted as the H: drive, the path to the file/folder to copy should be something like H:foldersubfolderfile.txt.  VSC Toolset will then use the batch files associated with the copy operation to copy the specified file or folder from all selected shadow copies.  The extracted files will be stored in the “VSCToolset_OutputExtractedFiles” folder (the location of which may be changed under Tools –> Options).

Copying Files from VSC Toolset Main Window

All copy operations issued with VSC Toolset are simply passing parameters to a robocopy batch file that resides in the VSC Toolset “batch” folder.  Robocopy is a powerful copying utility and is a standard feature of Windows Vista and above.  For information on Robocopy options, check out this Microsoft article.  With VSC Toolset copy operations, the /COPYALL flag is passed for file and folder copies to copy all file information (including time stamps).  Additionally, the /E flag is passed during folder copy operations to include empty subdirectories. These options can of course be modified by changing the respective batch files within the “batch” folder used by VSC Toolset.  CopyFile.cmd and CopyFolder.cmd are the batch scripts used to issue the robocopy commands for file and folder copying, respectively. The robocopy log, which can also be customized by modifying the batch files, is saved in the “VSCToolset_OutputRobocopyLogs” directory that is created by VSC Toolset upon issuing a copy operation.

A couple of other improvements have been made as well, including adding multiple threads for processing.  By making VSC Toolset a multi-threaded application, the user interface remains responsive even when running time-consuming operations such as Diff or a large copy operation.  This allows you to immediately start a process such as running Diff against a couple of shadow copies and then running a RegRipper plugin or profile against one or more shadow copies while Diff is still executing in the background.

You can download the latest version of VSC Toolset here.

For tips on setting up and using VSC Toolset, check out this blog post. To get the most out of the program, you’ll need the accompanying tools below. Also, keep in mind that with the exception of RegRipper, all accompanying executable files and scripts should be stored in the same directory as the VSC Toolset executable in order for the program to see them.

Feedback, suggestions, and bug reports are always welcome and appreciated.

FoxTab: Firefox’s Hidden Camera

The FoxTab add-on to Mozilla Firefox presents some interesting artifacts in respect to forensic analysis.  According to FoxTab’s webpage, the add-on “brings innovative 3D functionality to your Firefox.”  Among the features offered by FoxTab are the “Tab Flipper” and “Recently Closed Tabs”, which allow a user to view their currently opened tabs and recently closed tabs in an animated fashion.  While these features may be appealing to some users, they are interesting from a digital forensic standpoint in that the artifacts they leave behind provide a unique insight into a user’s browsing history.  Each screenshot taken by FoxTab is either a JPG or PNG file (depending on the version of FoxTab) that is stored on the disk and in many cases readily available to a forensic examiner.  And unlike the page thumbnails stored by newer versions of Firefox, Foxtab’s thumbnails are undisturbed after clearing the browsing history.

Screenshot stored by FoxTab

Foxtabthumbs Directory
The images displayed using the Tab Flipper feature (depicting the currently opened tabs) are stored in a folder titled “thumbs” within a user’s AppDataLocalTempfoxtab directory (or Local SettingsTempfoxtab on XP).  For each tab that is opened in Firefox, a screenshot of the webpage depicted in the tab is stored for use in navigating between currently opened tabs using the Foxtab interface. While newer versions of FoxTab appear to delete the screenshots in the foxtabthumbs folder when Firefox is closed, older versions (1.4.2 and earlier) of FoxTab aren’t quite as efficient in cleaning up their mess. When testing this feature, I observed on several occasions files remaining in the foxtabthumbs directory after closing Firefox.  The remaining files could simply be given a .jpg or .png extension (they are stored without an extension) and viewed using the native Windows photo viewer.

Based on my testing thus far, the $STANDARD_INFORMATION creation date of the files within the foxtabthumbs folder correspond with the time in which the webpage depicted in the screenshot was first visited. The $STANDARD_INFORMATION last modified time appears to be a close approximation of the time the webpage was first visited, although it’s a few seconds after the creation date.  I haven’t pinned down exactly what the variance can be attributed to, but in all tests, the last modified time of each file was within 40 seconds of the creation time (although some were as close as four seconds apart).

FoxtabthumbsRCT Directory 
The images displayed using the Recently Closed Tabs feature are stored in a folder titled “thumbsRCT” within a user’s AppDataLocalTempfoxtab folder (or Local SettingsTempfoxtab on XP).  Similar to the foxtabthumbs folder, this directory stores images of tabs that were opened in Firefox at some point.  Within the FoxTab interface, a user may view a graphical depiction of the recently closed tabs.  My testing has indicated that only those tabs that were closed since Firefox was last opened are available, despite the fact that screenshots from previous browsing sessions may very well still be stored in the foxtabthumbsRCT folder.

Recently Closed Tab Feature of FoxTab

As with the foxtabthumbs folder, newer versions of FoxTab appear to remove screenshots from previous browsing sessions stored in the foxtabthumbsRCT directory more frequently.  When FoxTab is installed and a tab is closed within Firefox, the image file depicting the screenshot appears to be copied from the foxtabthumbs directory to the foxtabthumbsRCT folder and renamed using the computed MD5 hash of the URL of the webpage from which the screenshot was taken.  I’ve been unable to find a location in which the URL is stored for the purposes of FoxTab, so an examiner may only have the screenshot of the webpage and the MD5 of the URL at their disposal.

Based on my testing thus far, it appears that the $STANDARD_INFORMATION last modified date of each file in the foxtabthumbsRCT folder corresponds to the approximate time in which the webpage depicted in the screenshot was opened (this is the same last modified time of the file when stored in the foxtabthumbs directory).  The $STANDARD_INFORMATION creation date of each file appears to correspond with the time in which the Firefox tab containing the depicted webpage was closed (and hence the screenshot was added to the “thumbsRCT” folder).  If the $STANDARD_INFORMATION timestamps can be trusted in a particular case, the creation and last modified time of files in the foxtabthumbsRCT folder may provide a time frame in which the webpage depicted in the screenshot was open in the user’s browser.

Forensic Implications of FoxTab
Although the artifacts left behind by FoxTab do not seem to store the URL of the webpage depicted in each screenshot, an examiner is provided with a visual depiction of the webpage as the user would have viewed it.  This can be very telling in cases involving access to illicit websites where the relevant browsing history of the computer is no longer available.

It seems that clearing the Firefox browsing history does not have an effect on the files saved by FoxTab, as they are stored independently of the browsing history and cache files.  Additionally, uninstalling the FoxTab add-on does not seem to remove either the foxtabthumbs or foxtabthumbsRCT directory.  Further, utilizing Firefox’s InPrivate browsing mode does not seem to have an effect on the functionality of FoxTab.  It appears that unless the foxtab directories themselves are deleted, many screenshots from previous browsing sessions, both standard and InPrivate, may remain on disk.

Overall, if FoxTab is functioning correctly, it will save screenshots of currently opened tabs and tabs that were closed since Firefox was last opened.  Older versions of FoxTab (1.4.2 and earlier) remove screenshots less frequently (if at all) than newer versions, however, even the most current version (1.4.5) does not seem to remove all screenshots.  This means that a visual depiction of many webpages visited by the user may potentially be available in the foxtab directories previously described, regardless of whether a user deleted their browsing history or utilized the InPrivate browsing mode of Firefox.  While the absence of the page URL is certainly a drawback, the artifacts left behind by FoxTab may provide insight into a user’s browsing history where it would otherwise be unavailable.