Archive for April, 2009

Análisis Forense a conversaciones de Skype.

Si al realizar un análisis forense, nos encontramos con archivos de skype con extensión dbb, seguramente nos preguntaremos ¿y eso cómo se lee?

Afortunadamente, alguien más se lo pregunto y escribió un paper donde explica donde comienza el mensaje, el time stamp (bastante ofuscado) y el mensaje.

El PDF está aqui: http://www.lpcforensic.it/public_html/yabbfiles/Attachments/SkypeLogFileAnalysis.pdf y se puede ver en linea en: http://www.scribd.com/doc/9676016/Skype-Log-File-Analysis

Otra explicación sobre el time stamp: http://www.patrickmin.com/linux/tip.php?name=skype_timestamp

PERO como muchas personas no quieren ponerse a escribir programas para decodificar conversaciones de skype, entonces se puede recurrir a uno ya hecho. Para ver los archivos *.dbb de los chats de skype, solo basta usar el programa Skype Log View. http://www.nirsoft.net/utils/skype_log_view.html

Comments (1)

April 27, 2009 · Filed under Forensics

How to make a Live analysis from a ‘dd’ image

In forensics, there are two diferents scenarios:

  1. Dead analysis
  2. Live analysis

Dead analysis are commons. It uses software like “Encase” or even linux distributions like “Helix” or “Caine”. But in dead analysis, you can’t know what a malware is doing or how a software instaled is working. So, you need to do a Live analysis.

If you have an image adquired through “dd”, you can mount it as a live pc system, in a vmware enviroment.  You need:

  • Vmware Player (free) or Vmware Workstation (pay)
  • Vmware Virtual Disk Development Kit VDMK (free) http://www.vmware.com/download/sdk/virtualdisk.html
  • Live View (free) http://liveview.sourceforge.net/

Then, install vwmare player, VDMK and run Live View.

In Live View, select Image file, Output directory and select Start. After a little work, a vm is launched with ‘dd’ image as first hard disk.

Live View 0.7b

Live View 0.7b

By other side, if you only need mount a “dd” image as a secundary hard disk into a vmware, you should try these options:

  1. Use Pro Discover Basic (free) http://www.techpathways.com/Demo.htm In Tools>Image Convertion Tools>Vmware support for “DD” image
  2. Make  your own vmware disk, filling the information about sectors, heads, cylinders and size, as same as the original disk. This information could be read from a “dd” image, using a hex editor.  Example of vmware disk.
# Disk DescriptorFile
version= 1
CID = fffffffe
parentCID = ffffffff
createType = "monolithicFlat"

# The Disk Data Base
#DDB

ddb.virtualHWVersion = "4"
ddb.geometry.sectors = "63"
ddb.geometry.heads = "16"
ddb.geometry.cylinders = "1"
ddb.adapterType = "ide" or "buslogic"

# Extent description
RW 156301488 FLAT "sdc-img.dd"0

Happy Forensics.

Comments (1)

April 17, 2009 · Filed under Forensics