Introduction to Blade® v1.9

We are pleased to announce the release of Blade v1.9.

Digital Detective Software - Blade Professional - Forensic Data Recovery

 

This release of Blade® brings a number of fixes and some great new features.  This is the first release of Blade® to have evaluation capabilities which allow the user to test and evaluate our software for 30  days. When Blade is installed on a workstation for the first time (and a valid USB dongle licence is not inserted) the software will function in evaluation mode.

The following list contains a summary of the new features:

  • Support for Advanced Forensic Format (AFF®)
  • Hiberfil.sys converter – supports XP, Vista, Windows 7 32 and 64bit
  • Accurate hiberfil.sys memory mapping, not just Xpress block decompression
  • Hiberfil.sys slack recovery
  • Codepage setting for enhanced multi-language support
  • SQLite database recovery
  • 30  Day evaluation version of Blade® Professional
  • New recovery profile parameters for more advanced and accurate data recovery
  • Support for Logicube Forensic Dossier®
  • Support for OMA DRM Content Format for Discrete Media Profile (DCF)

We have also been working on the data recovery engines to make them more efficient and much faster than before. The searching speed has been significantly increased.

Release Information

For further information, please see the following:

Introduction to Blade® v1.8

This release of Blade has a number of new features and improvements.  We have added 8 new Data Recovery Profiles to the Global Recovery Database, as well as releasing some new Professional Modules.  We have released a new 3GP/MPEG-4/ISO Base Media Format Intelli-Carve® Recovery Profile for the recovery of MP4/3GP video files.  This is particularly useful for those of you involved in the forensic examination and recovery of data from cell/mobile phone hex dumps or memory cards.

User Interface

We have made some minor updates to the user interface of Blade to make it easier to identify Global, Personal and Intelli-Carve® Recovery Profiles.  As you can see from screen below, different types of recovery profiles are represented by different icons.

Digital Detective Blade v1.8 Professional

Select Profile Categories

We have added the option to select recovery categories as well as individual recovery profiles.  This option is available from the Tools menu; select the category you wish to recover (e.g. common graphic types) and this will auto-select the profiles from that category.  To clear all of the selected profiles, simply select Clear from the Categories menu or press F5.  We have not added an option to select all profiles as it would not be practical to attempt to recover every supported file type (this would not make sense from a forensic perspective).

Unique Output Session Folders

In previous versions of Blade, if you attempted to extract data into a folder that had already been used, Blade would report that the folder was not empty and not permit the folder to be used; this can be a torment for examiners if they wish to keep all of the extracted data together.  To solve the issue, Blade now creates a session folder for every extraction.  This means that multiple passes across the same data source can be kept neatly together within a single folder.

Cancel / Partial Recovery Option

We have added this feature at the request of a number of our users.  Sometimes it is difficult to get your personal recovery profiles working correctly, particularly if they use complicated regular expressions.  Having to wait until the whole disk or image is processed to find out if they have worked correctly is extremely time consuming.  We have now added an option to perform a partial recovery on pressing cancel during the search phase (pass one).  If data headers have been identified during the search phase, Blade will prompt the user to recover that data.

In addition, we have added an option to automatically open the export folder once the extraction has completed.  This allows you to quickly open the folder and start examining the recovered data.

Recovery Profiles

We have made a number of changes to the Recovery Profiles to add additional functionality.  Figure 2 shows the new Personal Profile screen.

In the File Header section, we have added a new field for the number of bytes to the Start of the File (Bytes to SOF).  This value can be positive or negative and represents where the start of the file is in relation to the File Header Signature.  This takes into account data where there is a recognisable pattern or structure x bytes into the file, but no static header exists.

Add_New_Recovery_Profile

We have added a secondary File Landmark Section for additional data validation.  We have put this to good use for the recovery of Microsoft Office 2007 documents.

And finally, we have added a new field to take into account length adjustments for data types which contain length markers.  In the Data Length section, you can see the Length Marker Adjustment field.  This value can also be positive or negative.  We have put this into good use with AVI files where is a UInt32 length marker at offset 0x04.  This marker provides the length of the data following the header but does not take into account the four bytes containing the length marker or the header itself.  This meant that the AVI files recovered were 8 bytes too short.  Now you can add a length marker adjustment to add the missing 8 bytes back on to the file.

3GP/MPEG-4/ISO Base Media Format

ISO base media file format defines a general structure for time-based multimedia files such as video and audio.  It is used as the basis for other media file formats (e.g. container formats MP4 and 3GP).  ISO base media file format was specified as ISO/IEC 14496-12 (MPEG-4 Part 12).

Blade now contains an Intelli-Carve profile® which reads and validates the recovered data prior to writing it out.  In addition, Blade also recovers the metadata from each file and can write it out to a CSV log.  This is particularly useful for recovering date/time information from video data where the video has been recovered from unallocated clusters.  To set the metadata extraction options, right click on the recovery profile.

Blade also identifies the type of media file and appends the correct file extension.  The table below contains a list of file extensions which are supported.

3GP/MPEG4/ISO Base Media Format Specification Extensions
3gp, 3g2, dvb, f4v, f4p, f4a, f4b, jp2, jpm, jpx, m4v, m4p, m4a, m4b, mj2, mqv and mov

INFO2 Record Extraction and Deconstruction

We have added a new Professional Recovery Module for the recovery and deconstruction of INFO2 records (Recycle Recovery for Vista/Windows 7 in final QA and testing and will be released in Blade v1.9).  This recovery module has a number of output options.  The profile recovers INFO2 records relating to deleted files and writes the various fields out to a number of different formats.  The capture below shows the options which are available for this module.

Blade Forensic Data Recovery INFO2 Extraction Properties

The INFO2 extractor is bundled as part of the Link File Recovery module and is available to all Blade Professional users.  This module fully supports Unicode data.

Cryptographic Hashing

We have also added a hashing module which will work with a number of sources including forensic images (note: if you wish to MD5/SHA1 hash the content of an EnCase® e01 image, please use the e01 Conversion Module which has an option to hash the internal data from an EnCase® image and check it against the embedded hash without having to convert the image).

Supported Cryptogtaphic Hashing Algorithms
MD5, SHA1, SHA256, SHA384, SHA512 and RIPEMD160

To select the required hashing algorithms, right click on the module, select module properties and tick the required values.  Select the required source file or image (e.g. segmented image file *.001) and then an export folder which will contain the hashing report.

Further Information

Introduction

Not so long ago, one email client which increased in popularity (particularly amongst paedophiles) in the United Kingdom was that provided with America Online (AOL).

Email extraction and analysis causes significant problems for digital forensic examiners. Almost all of the forensic software designed for extracting email is tailored for dealing with mail-store files which are intact.  This means that they have not been designed to extract email data from the other areas of a suspect hard drive such as, unallocated clusters, cluster slack, page files, hibernation files and other binary source files.  They have also not been designed to extract data fragments when the mail-store index has been overwritten.

From an evidential point of view, it is likely that a large quantity of email evidence is not being extracted.  In addition, as there is limited documentation available regarding the proprietary binary file structures, there is wide variance in the output from many of the commercial forensic tools currently available.

Recovery of AOL (Personal Filing Cabinet) Email Messages

Digital Detective’s forensic data recovery software Blade® contains a Data Recovery module (with Intelli-Carve® which has been designed to recover AOL email messages from a number of sources.

The AOL Professional Recovery Module has the ability of recovering live and deleted email messages (including attachments) whether directly from a Forensic image (such as an Encase® e01 compressed image) or a physical disk / volume. The output from the software allows the forensic investigator to identify the exact location the data was recovered from.

The carving engine for this Module is the result of numerous years research and development. It was originally released in the Digital Detective product EMLXtract. When this software was released to law enforcement in 2004, it was the first software product to recover AOL email messages from an image or physical/logical device (as opposed to a single PFC File). When compared against other tools, this software recovered more email messages than any other. It works particularly well against corrupted data when many other tools fail to recover anything at all.

The research and development that went into recovering AOL email messages from a forensic image took a considerable amount of time. AOL email messages contain many different elements such as compressed and non-contiguous data blocks. Embedded attachments can be split and have to be stitched back together. When this module was originally designed, the goal was not to recover live and deleted email messages from a Personal Filing Cabinet, but to be able to recover emails from a disk image. This functionality was originally released to Police Forces all around the world as a tool called EMLXtract.

Through research and development, the recovery engine has been enhanced further and is now part of Blade®.

Introduction

A useful feature of Blade® is the ability to exchange Data Recovery Profiles with colleagues and other digital forensic practitioners. The processing of Exporting and Importing profiles is relatively simple.

Global Recovery Profile Database

Blade® has access to two separate data recovery profile databases. The global database cannot be altered by the user and contains profiles created and distributed as part of the software. From time to time, we will update and add to these profiles as a result of research and development. It also allows us to create additional validation routines for specific profiles in the database.

For example, the JPEG image recovery profile in the global database invokes a comprehensive validation routine to assist with accurate recovery.

It is also possible to copy recovery profiles from the global database to your personal database so that it can be modified or exported. To copy a global recovery profile, right click on the profile of interest in the list pane on the left hand side of the global profile database window, or click the Copy Profile button on the main toolbar (as shown below).

 

Blade Copy Profile

Exporting a Data Recovery Profile

To export a personal recovery profile, first open the Personal Profile Database. This can be done by selecting the keyboard shortcut CTRL + S, or selecting Personal Profile Database from the Tools menu. Select the recovery profile from the left hand list pane and right click. Selecting Export Profile to File will prompt you for a file name and export location. This will create a Blade® Recovery Profile File (BRPX) which can then be shared and imported into another copy of Blade®.

 

Blade Export Recovery Profile

Importing a Data Recovery Profile

Once you have obtained a new Recovery Profile, the import process is conducted from within the Personal Profile Database Simply select Import Profile from the main toolbar (Figure 3). This will prompt you to select the Blade® Recovery Profile File (BRPX). Once the profile has been imported, you can close the personal profile database screen, and access the new profile from the main profile list.

 

Blade Import Recovery Profile

 

Further Information

Introduction

The use of electronic mail (email) as a mode of communications for both formal and informal purposes has increased considerably over the past decade. As such, the opportunities for the criminal element of society to make use of this facility have also widened making it commonplace within a digital forensics examination to review email content. Not so long ago, one email client which increased in popularity (particularly amongst paedophiles) in the United Kingdom was that provided with America Online (AOL).

Email extraction and analysis causes significant problems for digital forensic examiners. Almost all of the forensic software designed for extracting email is tailored for dealing with mail-store files which are intact. This means that they have not been designed to extract email data from the other areas of a suspect hard drive such as, unallocated clusters, cluster slack, page files, hibernation files and other binary source files. They have also not been designed to extract data fragments when the mail-store index has been overwritten.

From an evidential point of view, it is likely that a large quantity of email evidence is not being extracted. In addition, as there is limited documentation available regarding the proprietary binary file structures, there is wide variance in the output from many of the commercial forensic tools currently available.

AOL Email Client

In complete contrast to the wealth of software resources available for Microsoft Outlook Express, there are limited resources available for the file format of the AOL Personal Filing Cabinet (mail-store file) and email client.

There are numerous commercial companies offering a service to convert AOL Personal Filing Cabinet files into other mail-store formats, however, this is not a forensic service. A recent search revealed one company offering to convert a single PFC mail-store file for $200 US.

The AOL Email client stores data from individual email messages in a binary file generally known as the PFC (Personal Filing Cabinet). This file has no extension. In a typical Microsoft Windows XP system, the folder structure and mail-store files are stored within the user profile as shown below. The organize folder holds the mail-store data and has a structure which is in a similar format through various versions of the client. In this example, you can see a single screen name (this is an AOL term for a user) in use.

 

Figure 1

The data for this version is stored within an organize folder within the “All Users” Windows profile. The organize folder can support and store multiple screen names. The individual files for a screen name are shown below:

 

Figure 2

With regards to email messages, the main file of interest is the Personal Filing Cabinet (PFC). This is a binary file which contains a number of different AOL objects such as Favourite Places, Away Messages, Stored Email Messages, Newsgroup Postings and Download Manager information.

With AOL version 7.00 and above, the body of the email is compressed using ZLib. This causes a problem for the forensic examiner as traditional keyword searching will not be successful without decompressing the data first.

Recovery of AOL (Personal Filing Cabinet) Email Messages

Digital Detective’s forensic data recovery software Blade® contains a Professional Recovery module which has been designed to recover AOL email messages from a number of sources.

The Professional Recovery Module has the ability of recovering live and deleted email messages (including attachments) whether directly from a Forensic image (such as an Encase® e01 compressed image) or a physical disk / volume. The output from the software allows the forensic investigator to identify the exact location the data was recovered from.

The carving engine for this Module is the result of numerous years research and development. It was originally released in the Digital Detective product EMLXtract. When this software was released to law enforcement in 2004, it was the first software product to recover AOL email messages from an image or physical/logical device (as opposed to a single PFC File). When compared against other tools, this software recovered more email messages than any other. It works particularly well against corrupted data when many other tools fail to recover anything at all.

The research and development that went into recovering AOL email messages from a forensic image took a considerable amount of time. AOL email messages contain many different elements such as compressed and non-contiguous data blocks. Embedded attachments can be split and have to be stitched back together. When this module was originally designed, the goal was not to recover live and deleted email messages from a Personal Filing Cabinet, but to be able to recover emails from a disk image. This functionality was originally released to Police Forces all around the world as a tool called EMLXtract.

Through research and development, the recovery engine has been enhanced further and is now part of Blade®. The following video shows the extraction and examination of AOL email messages from a segmented disk image. Figure 3 shows a recovered email message from Blade® Professional.

 

Figure 3

As Blade® process the source image, it recovers individual messages and converts them into an HTML representation of the original message. This includes decompressing the Zlib content and rebuilding the original attachments. The physical location of the original email is identified by Physical Sector and Sector Offset. The easiest way to use Blade® in a forensic examination is to simply point it at a forensic image of the original device.