Blade® v1.15 Released

,

Introduction

We are pleased to announce the release of Digital Detective’s Blade® v1.15. This release brings a number of new data recovery profiles and fixes a licensing issue with some USB licence dongles.

New Data Recovery Profiles

We have created and added some new data recovery profiles for the extraction of the following data types:

  • Netscape HTML Bookmark files (used by many browsers to backup and export bookmark entries)
  • Registry Hive Files
  • Text Files (UTF-16)
  • vCalendar Files
  • vCard Files
  • Microsoft Cabinet Files
  • Microsoft Compiled Help Files

Change Log

To see the full change log for this release, please see Change Log v1.15 on our Knowledge Base.

Related Articles

/by

Blade® v1.14 Released

,

Introduction

We are pleased to announce the release of Digital Detective’s Blade® v1.14. It has been a while since we have released a version of Blade®; this is because we have been working hard on developing Blade® v2.

New Recovery Profiles

In this release of Blade®, we have added 23 new recovery profiles:

  • Microsoft Outlook (ANSI) PST
  • Microsoft Outlook (Unicode) PST
  • HTML 5
  • Adobe Postscript
  • Advanced Systems Format
  • WebP
  • WebM
  • Web Open Font Format
  • Web Open Font Format v2
  • True Type Font
  • Ogg Encapsulation Format
  • OpenType Font
  • Windows Icon
  • Windows Cursor
  • ISO9660 CD/DVD Image
  • 7-Zip File
  • Microsoft Cabinet
  • Shockwave CWS (compressed)
  • Shockwave Videove FWS (non compressed)
  • F4F Video
  • Scalable Vector Graphic
  • Text File (UTF-8)
  • $Recycle.Bin Recovery

Hiberfil.sys Conversion

We have updated our Hiberfil Converter to support the conversion of hiberfil.sys files from Microsoft Windows 8, 8,1 and 10. We have also improved the handling of files containing xpress blocks where the Operating System cannot be discerned.

$Recycle Bin Recovery

We have added a new Intelli-Carve® recovery engine for $Recycle.Bin entries. The recovery module allows you to select a number of different output formats:

 

Digital Detective Blade $Recycle Bin Recovery Properties

OLE2 Compound File Recovery

We have considerably enhanced the OLE2 Compound File recovery and detection routines and added support for the following Compound binary files:

  • Microsoft Outlook MSG files
  • Microsoft Internet Explorer TabRoaming files
  • Microsoft Internet Explorer TabRoamingLocal files
  • Microsoft Internet Explorer Machine Info files

Recovery Profile Configuration

We have now added support for signed length markers and multipliers when creating your own recovery profiles in Blade®. You can now select:

  • Int8 (Little and Big Endian)
  • Int16 (Little and Big Endian)
  • Int32 (Little and Big Endian)
  • In64 (Little and Big Endian)

This allows you to use negative values in length markers and multipliers. This allows for greater flexibility when designing data recovery profiles.

We have also increased the maximum length for recovery to 32 GiB.

 

Digital Detective Blade Profile Length Marker

Change Log

To see the full change log for this version, please see: Change Log for Blade® v1.14.

/by

Blade® v1.13 Released

,

Introduction

This version of Blade adds Intelli-Carve® support for the recovery of Portable Network Graphics (PNG) image files. It also fixes an issue where Blade® would not run if the licence was purchased over 12 months prior to the release date.

For a full list of the changes made in this version, please see  Change Log v1.13.

Portable Network Graphic (PNG)

Portable Network Graphic or PNG as it is more commonly referred to, is a file format for storing bitmapped (raster) images. The format supports lossless data compression and was created as an improved, non-patented replacement for Graphics Interchange Format (GIF). It is the most used lossless image compression format on the Internet.

 In Blade® v1.13, we have developed an Intelli-Carve® Data Recovery Engine which understands the PNG file format; the software can verify the integrity of the data structures during the recovery process. It can also identify partial recovery scenarios and can recover those file fragments to a separate folder for examination.

Change Log

To examine the full change log for this version, please see: Change Log v1.13.

/by

Blade® v1.12 Released

, ,

Introduction

This version of Blade adds Intelli-Carve® support for the recovery of Zip Archive based files and OLE2 compound based files. It includes a stand-alone version of our DataDumper tool for extracting data sub-sets and an updated Jump List deconstructor.

For a list of the changes made in this version, please see Change Log v1.12.

OLE2 Compound Document Recovery

Microsoft Compound File Binary (CFB) file format is also known as the Object Linking and Embedding (OLE) or Component Object Model (COM) structured storage compound file implementation binary file format.  CFB implements a simplified file system through a hierarchical collection of storage objects and stream objects.

A storage object is comparable to a file system directory in that just as a directory can contain other directories and files, a storage object can contain other storage objects and stream objects. A parent storage object can also track the locations and sizes of the child storage object and stream objects nested beneath it. A stream object is comparable to a file in that a stream contains user-defined data stored as a consecutive sequence of bytes. A compound file consists of the root storage object with optional child storage objects and stream objects in a nested hierarchy.

The file format has been used for a number of differrent file formats such as:

  • Microsoft Word up to 2003
  • Microsoft Powerpoint up to 2003
  • Microsoft Excel up to 2003
  • Windows Thumbnail files
  • Windows Installer files
  • Windows Sticky Notes files
  • Windows Jump Lists
  • Internet Explorer Tab Session and Recovery Store files

Blade® now has the ability to validate Compound Files in memory, as well as identify the file type from the stream data.

ZIP Archive Recovery

ZIP is one of the most widely used compressed file formats. It is universally used to aggregate, compress, and encrypt files into a single interoperable container. We have developed a methodology for recovery which has been embedded into an Intelli-Carve® recovery profile. Our software has the ability to read and validate ZIP archives directly from a stream.

In addition to being used as a compression file format, ZIP is also used in a number of proprietary file formats such as those used for the following file types:

  • Microsoft Word from 2007
  • Microsoft Powerpoint from 2007
  • Microsoft Excel from 2007
  • OpenOffice Documents
  • StarOffice Documents
  • Adobe AIR installation packages

Blade® now has the ability to validate ZIP Archive files in memory, as well as identify the file type from the contents.

DataDump

DataDump allows you to dump segments of data from an original source image or physical/logical device. It can be accessed from Blade® by selecting Tools » Dump Data. It can be used for the following:

  • Extract a stream of binary data from a source image or logical device
  • Convert an entire image or a segment of an image to a single flat file
  • Extract binary chunks of data from files, images or physical/logical devices
  • Extract a partition from a source device as a single binary file
  • Hash the output data using MD5, SHA-1, SHA-256 or SHA-512

 

Digital Detective DataDump

 

Download Version

/by

Blade® v1.11 Released

, ,

We are pleased to announce the release of Blade® v1.11. This release of Blade® brings some new features and a performance enhancement.

The following is a brief summary of the new features:

  • Upgraded the extraction engine for performance increase
  • Maximum file recovery size increased from 400 MiB to 8 GiB
  • Added 3 new recovery profiles
  • Fixed issue with WAV recovery profile
  • Fixed out of memory exception issue and hanging when recovering extremely large files

We have been working on the data recovery engines to make them more efficient and much faster than before. The recovery speed has been significantly increased.

Blade® is the best, bespoke data recovery solution and easily allows you to create new recovery profiles.

 

Digital Detective Blade v1.10 Main Form

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

download version button

/by

Blade® v1.10 Released

, ,

We are pleased to announce the release of Blade® v1.10. This release of Blade® was unfortunately delayed during the development of NetAnalysis® v2 and HstEx® v4. We have been working hard over the past few months and are pleased to announce the release of Blade® v1.10. This release fixes a number of outstanding issues and adds some new features. We have also made some changes to increase performance and stability.

The following list contains a summary of some of the new features:

  • Upgraded recovery back end database for increased performance and capability
  • Added new SQLite database recovery profile with Intelli-Carve® verification
  • Added new Jump List deconstructor recovery profile with Intelli-Carve® verification
  • Added parallel processing to increase performance
  • Support for Windows 8
  • Support for EnCase® Ex01 format

We have also been working on the data recovery engine to make it more efficient and much faster than before. The searching speed has been significantly increased.

 

This version has also had an interface refresh as you can see from the screen below:

Digital Detective Blade v1.10 Main Form

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

download version button

/by

Blade® v1.9 Released – AFF® Support, Hiberfile.sys Conversion and New Evaluation Version

, , ,

Introduction to Blade® v1.9

We are pleased to announce the release of Blade v1.9.

Digital Detective Software - Blade Professional - Forensic Data Recovery

 

This release of Blade® brings a number of fixes and some great new features.  This is the first release of Blade® to have evaluation capabilities which allow the user to test and evaluate our software for 30  days. When Blade is installed on a workstation for the first time (and a valid USB dongle licence is not inserted) the software will function in evaluation mode.

The following list contains a summary of the new features:

  • Support for Advanced Forensic Format (AFF®)
  • Hiberfil.sys converter – supports XP, Vista, Windows 7 32 and 64bit
  • Accurate hiberfil.sys memory mapping, not just Xpress block decompression
  • Hiberfil.sys slack recovery
  • Codepage setting for enhanced multi-language support
  • SQLite database recovery
  • 30  Day evaluation version of Blade® Professional
  • New recovery profile parameters for more advanced and accurate data recovery
  • Support for Logicube Forensic Dossier®
  • Support for OMA DRM Content Format for Discrete Media Profile (DCF)

We have also been working on the data recovery engines to make them more efficient and much faster than before. The searching speed has been significantly increased.

Release Information

For further information, please see the following:

/by

USB Licence Dongles

, , , ,

Introduction

We have been asked a few times recently about our new USB dongle licence option. The USB dongle licence is a small hardware device that plugs into a USB port on a host computer to provide licence information to our software.

Software licences stored on USB hardware offer a more flexible licence solution than licence key files. Our current EULA prohibits the use of a single licence key file on multiple workstations (we will be introducing hardware locked licence keys shortly). Each licence can only be installed on one system at any one time. With the USB dongle, you are permitted to install as many copies of our software as required and activate one instance of the software by running it with the USB dongle inserted (multiple instances on a single workstation are permitted). The dongle must be inserted whilst the software is being used.

Advantage of USB Licence Dongle

  • Allows the forensic investigator to use the software on a forensic workstation and a laptop without purchasing additional software licences.
  • As new products become available, additional licences can be added to the dongle.
  • Licences for multiple applications can be stored on one device.
  • Licence updates and changes can be easily made via the licence manager and encrypted update files.
  • The dongle does not function as a USB mass storage device so will not deprive you of drive letters.
  • Hardware dongles make it more difficult for licences to be stolen from the customer (such as with theft by employee).
  • It acts as a human interface device (HID) and is not affected by USB port security.
  • The software may be installed on several computers at the same time even if you only own a single licence.
  • The device contains an advanced microprocessor smart chip which has been certified by EAL4+ and ITSEC.
  • It requires no external device driver installation thus minimising common technical issues arising from device driver installation.

USB Dongle Upgrade Options

We are now offering a USB Dongle licence option for the following versions of our software:

  • NetAnalysis® > v1.52
  • HstEx® > v3.6
  • Blade® Standard / Professional > v1.0

Please note that Blade Standard / Professional can only be purchased with a USB licence dongle. With NetAnalysis, you have the option to purchase with either a licence key file or a USB licence dongle.

If you are an existing customer with a licence key file and wish to purchase a USB dongle upgrade, this can be done via our online store. The price of the upgrade will vary depending on the age of the licence key file. If your licence key file was purchased prior to 1st January 2007, you will need to purchase the USB dongle option with licence maintenance.

If you already own one of our USB dongles and wish to have additional licences added to the device, please contact us via our support portal for further information.

Further Information

/by

Blade® v1.8 Release Notes

, , , ,

Introduction to Blade® v1.8

This release of Blade has a number of new features and improvements.  We have added 8 new Data Recovery Profiles to the Global Recovery Database, as well as releasing some new Professional Modules.  We have released a new 3GP/MPEG-4/ISO Base Media Format Intelli-Carve® Recovery Profile for the recovery of MP4/3GP video files.  This is particularly useful for those of you involved in the forensic examination and recovery of data from cell/mobile phone hex dumps or memory cards.

User Interface

We have made some minor updates to the user interface of Blade to make it easier to identify Global, Personal and Intelli-Carve® Recovery Profiles.  As you can see from screen below, different types of recovery profiles are represented by different icons.

Digital Detective Blade v1.8 Professional

Select Profile Categories

We have added the option to select recovery categories as well as individual recovery profiles.  This option is available from the Tools menu; select the category you wish to recover (e.g. common graphic types) and this will auto-select the profiles from that category.  To clear all of the selected profiles, simply select Clear from the Categories menu or press F5.  We have not added an option to select all profiles as it would not be practical to attempt to recover every supported file type (this would not make sense from a forensic perspective).

Unique Output Session Folders

In previous versions of Blade, if you attempted to extract data into a folder that had already been used, Blade would report that the folder was not empty and not permit the folder to be used; this can be a torment for examiners if they wish to keep all of the extracted data together.  To solve the issue, Blade now creates a session folder for every extraction.  This means that multiple passes across the same data source can be kept neatly together within a single folder.

Cancel / Partial Recovery Option

We have added this feature at the request of a number of our users.  Sometimes it is difficult to get your personal recovery profiles working correctly, particularly if they use complicated regular expressions.  Having to wait until the whole disk or image is processed to find out if they have worked correctly is extremely time consuming.  We have now added an option to perform a partial recovery on pressing cancel during the search phase (pass one).  If data headers have been identified during the search phase, Blade will prompt the user to recover that data.

In addition, we have added an option to automatically open the export folder once the extraction has completed.  This allows you to quickly open the folder and start examining the recovered data.

Recovery Profiles

We have made a number of changes to the Recovery Profiles to add additional functionality.  Figure 2 shows the new Personal Profile screen.

In the File Header section, we have added a new field for the number of bytes to the Start of the File (Bytes to SOF).  This value can be positive or negative and represents where the start of the file is in relation to the File Header Signature.  This takes into account data where there is a recognisable pattern or structure x bytes into the file, but no static header exists.

Add_New_Recovery_Profile

We have added a secondary File Landmark Section for additional data validation.  We have put this to good use for the recovery of Microsoft Office 2007 documents.

And finally, we have added a new field to take into account length adjustments for data types which contain length markers.  In the Data Length section, you can see the Length Marker Adjustment field.  This value can also be positive or negative.  We have put this into good use with AVI files where is a UInt32 length marker at offset 0x04.  This marker provides the length of the data following the header but does not take into account the four bytes containing the length marker or the header itself.  This meant that the AVI files recovered were 8 bytes too short.  Now you can add a length marker adjustment to add the missing 8 bytes back on to the file.

3GP/MPEG-4/ISO Base Media Format

ISO base media file format defines a general structure for time-based multimedia files such as video and audio.  It is used as the basis for other media file formats (e.g. container formats MP4 and 3GP).  ISO base media file format was specified as ISO/IEC 14496-12 (MPEG-4 Part 12).

Blade now contains an Intelli-Carve profile® which reads and validates the recovered data prior to writing it out.  In addition, Blade also recovers the metadata from each file and can write it out to a CSV log.  This is particularly useful for recovering date/time information from video data where the video has been recovered from unallocated clusters.  To set the metadata extraction options, right click on the recovery profile.

Blade also identifies the type of media file and appends the correct file extension.  The table below contains a list of file extensions which are supported.

3GP/MPEG4/ISO Base Media Format Specification Extensions
3gp, 3g2, dvb, f4v, f4p, f4a, f4b, jp2, jpm, jpx, m4v, m4p, m4a, m4b, mj2, mqv and mov

INFO2 Record Extraction and Deconstruction

We have added a new Professional Recovery Module for the recovery and deconstruction of INFO2 records (Recycle Recovery for Vista/Windows 7 in final QA and testing and will be released in Blade v1.9).  This recovery module has a number of output options.  The profile recovers INFO2 records relating to deleted files and writes the various fields out to a number of different formats.  The capture below shows the options which are available for this module.

Blade Forensic Data Recovery INFO2 Extraction Properties

The INFO2 extractor is bundled as part of the Link File Recovery module and is available to all Blade Professional users.  This module fully supports Unicode data.

Cryptographic Hashing

We have also added a hashing module which will work with a number of sources including forensic images (note: if you wish to MD5/SHA1 hash the content of an EnCase® e01 image, please use the e01 Conversion Module which has an option to hash the internal data from an EnCase® image and check it against the embedded hash without having to convert the image).

Supported Cryptogtaphic Hashing Algorithms
MD5, SHA1, SHA256, SHA384, SHA512 and RIPEMD160

To select the required hashing algorithms, right click on the module, select module properties and tick the required values.  Select the required source file or image (e.g. segmented image file *.001) and then an export folder which will contain the hashing report.

Further Information

/by

AOL PFC EMail Recovery

, , , , ,

Introduction

Not so long ago, one email client which increased in popularity (particularly amongst paedophiles) in the United Kingdom was that provided with America Online (AOL).

Email extraction and analysis causes significant problems for digital forensic examiners. Almost all of the forensic software designed for extracting email is tailored for dealing with mail-store files which are intact.  This means that they have not been designed to extract email data from the other areas of a suspect hard drive such as, unallocated clusters, cluster slack, page files, hibernation files and other binary source files.  They have also not been designed to extract data fragments when the mail-store index has been overwritten.

From an evidential point of view, it is likely that a large quantity of email evidence is not being extracted.  In addition, as there is limited documentation available regarding the proprietary binary file structures, there is wide variance in the output from many of the commercial forensic tools currently available.

Recovery of AOL (Personal Filing Cabinet) Email Messages

Digital Detective’s forensic data recovery software Blade® contains a Data Recovery module (with Intelli-Carve® which has been designed to recover AOL email messages from a number of sources.

The AOL Professional Recovery Module has the ability of recovering live and deleted email messages (including attachments) whether directly from a Forensic image (such as an Encase® e01 compressed image) or a physical disk / volume. The output from the software allows the forensic investigator to identify the exact location the data was recovered from.

The carving engine for this Module is the result of numerous years research and development. It was originally released in the Digital Detective product EMLXtract. When this software was released to law enforcement in 2004, it was the first software product to recover AOL email messages from an image or physical/logical device (as opposed to a single PFC File). When compared against other tools, this software recovered more email messages than any other. It works particularly well against corrupted data when many other tools fail to recover anything at all.

The research and development that went into recovering AOL email messages from a forensic image took a considerable amount of time. AOL email messages contain many different elements such as compressed and non-contiguous data blocks. Embedded attachments can be split and have to be stitched back together. When this module was originally designed, the goal was not to recover live and deleted email messages from a Personal Filing Cabinet, but to be able to recover emails from a disk image. This functionality was originally released to Police Forces all around the world as a tool called EMLXtract.

Through research and development, the recovery engine has been enhanced further and is now part of Blade®.

/by