The attacker
only has to
get it right
once.
You have to
get it right
all the time.
Paraben
Forensic Tools
www.paraben-forensics.com
Rick Mislan
mislanr@ferris.edu
• Professor, Ferris State University
• College of Business Graduate Programs
– Information Systems Management
– Masters of Business Administrations
• Undergraduate
– Criminal Justice, College of Education
• Prior Experience/Education:
–
–
–
–
Corporate Network Administrator
Electronics Warfare Officer, US Army
MS - Ferris State University
BS - Rochester Institute of Technology
• Current Consulting:
– PDA & Cell Phone Forensic Analyst
• Digital Disclosure, San Mateo, CA
Richard Murray
• Assistant United State Attorney
• US Department of Justice
• Western District of Michigan
Paraben’s
Forensic Products
•
•
•
•
•
•
•
•
•
Forensic Replicator
Forensic Sorter
Network Email Examiner
Email Examiner
Decryption Collection
Text Searcher
Case Agent Companion
PDA Seizure
And more to come…
Forensic Replicator
• Drive to Drive image option
• Creates bit-stream images of removable media,
partitions, or an entire physical hard drive
• Creates images of USB micro drives
• New explore function allows for preview of
active FAT files
– Tree and Detail Views
• Allows for reprocessing of image files from Raw
to Split or add compression as a new image file
1 of 2
Forensic Replicator
• Compresses image files on the fly
• Encrypts data for secure storage of evidence128 bit
• Splits images into segments
• Generates self-extracting images
• Formats and copies DMF/1.68 MB floppy
• Creates ISO CD-ROM images and allows
immediate browsing of data
• Automates floppy imaging with convenient
Batch Assistant mode
2 of 2
Forensic Sorter
• Uses FOCH Technology
– Filter Out Common Hashes
•
•
•
•
Sorts all logical data by header into categories
Recovers deleted, slack, and unallocated data
Identifies encrypted files
All data output is non-proprietary so any tool can
be used for analysis post sorting
Network Email Examiner
• Supports Microsoft Exchange information
stores 5.0, 5.5, and 2000 (.EDB)
• Supports Lotus Notes information stores
4.0, 5.0, 6.0 (.NSF)
• View one or all individual e-mail accounts
in information store
• View all meta-data within individual
messages
1 of 2
Network Email Examiner
•
•
•
•
2 of 2
Complete Bookmarking
Output to PST file with EDB or Notes
Output to MSG & EML format
Supports Deleted--Deleted recovery with
Exchange
Email Examiner
• America Online (AOL)
9.0
• Outlook Exchange
(PST)
• USENET Groups
• Eudora
• Netscape Messenger
• Pegasus Mail
• Outlook Express
• The Bat!
• Forte Agent
•
•
•
•
•
•
•
•
PocoMail
Calypso
FoxMail
Juno 3.x
EML message files
Mozilla Mail
MSN Mail
Generic mailboxes
(mbox, Berkeley mail
format, BSD mail
format, Unix mail
format)
Decryption Collection
•
•
•
•
•
•
MD5 Hash Verification
Simple, easy-to-use interface
Drag and drop file to be recovered
Lists most recent files recovered
HTML reporting of recovery results
Password cache for quick recovery of
repeat passwords
• English password recovery 90% and higher
1 of 2
Recovers Password from:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
2 of 2
Acrobat
EFS (Enterprise)
Lotus Notes (Enterprise)
Microsoft Office - Support for
Cryptographic Options
Microsoft Excel & Pocket Excel
Microsoft Word
Microsoft Windows XP/2000/NT
Microsoft Access
Microsoft Outlook
Microsoft Outlook Express
Microsoft Exchange
WinZip PKZip ZIP
RAR
VBA Visual Basic Modules
Schedule+
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Microsoft Internet Explorer
Quicken
QuickBooks – 2002 & 2003
(Enterprise)
Lotus 1-2-3, Organizer, WordPro
Backup
Microsoft Project
MYOB
Paradox
ACT!
Microsoft Mail
Microsoft Money
WordPerfect
Filemaker
Peachtree Accounting &
2004(Enterprise)
Quattro Pro
Text Searcher
• Supports multiple languages and has the
ability to customize languages easily.
• Full searching capabilities for specific file
types as well as slack and unallocated
space.
• Easy to use interface and report output.
• Searches through unique files types such
as PDF, Outlook PST, and more.
1 of 2
Text Searcher
• Compressed indexes are 30-60% the size
of the original data.
• Supports over 200 different file types.
• Supports complex searching queries
through Boolean expressions.
• Supports list searching for a single query
list load.
2 of 2
Case Agent Companion
• Enhanced reporting options for
professional and comprehensive output of
examined data
• Built-in viewing capabilities for over 225 file
types
• Customized by examiner so each case can
be loaded based on the specifics of that
case
1 of 2
Case Agent Companion
• Note taking and bookmarking capabilities
built in for easy reference to examined data
• Case logging feature tracks all parts of
analysis in detailed log file
• Searching capabilities are independent or
compatible with indexes associated with
Paraben's Text Searcher
2 of 2
Case Agent Online Suite
• In development:
– Unites the Case Agent with the Forensic
Analyst and the Prosecutor
– Secure Online View of Evidentiary Data
– http://localhost/paraben/
PDA Seizure
• Palm, Windows CE, Pocket PC Blackberry
support
• Supports ActiveSync 3.7
• USB Support on Palm PDA
• PDD technology integration
• Built-in recovery Palm password (<=Palm
OS 4.0)
• WinCE registry viewer
• WinCE serial connection support
1 of 3
PDA Seizure
• Enhanced viewing on file data
• Complete physical and logical acquisition
for Palm PDA devices
• Complete acquisition Windows CE &
Pocket PC data
• Built-in searching and bookmarking
• Text and Hex views available on data
2 of 3
PDA Seizure
•
•
•
•
•
•
3 of 3
Verification on image integrity
Internal viewing of data files
Internal viewing of graphic files (CE)
Files compatible with (Palm)POSETM
Works for both Palm and Handspring PDAs
Works on all types of Windows CE &
Pocket PC Devices
PDA Seizure Toolkit
1 of 3
The PDA Seizure Toolkit
•
•
•
•
•
•
•
•
•
•
•
2 of 3
1-Nylon Carrying Case
1-Pokey Thingy
1-USB Cable IPAQ-1
1-USB Cable IPAQ-2
1-USB Cable JORNADA-1
1-USB Cable CASIO-1
1-USB Cable CLIE-1
1-USB Cable CLIE-2
1-USB Cable TREO-1
1-Serial Cable PALM-1
1-Serial Cable VISOR-1
•
•
•
•
•
•
•
1-AC & 12 Volt Adapter (For
USB Cables)
4-AAA Batteries
1-CR-2032 Battery
2-Stylus
1-Adapter Bridge 325YC
1-Adapter Bridge 32100
1-Adapter Bridge 32U
The PDA Seizure Toolkit
• Designed to work with the following
PDAs:
–
–
–
–
–
–
3 of 3
iPAQ Series-3100, 3600, 3700, 3800, 3900
Jornada Series-520, 540, 560
Cassiopeia Series-E-125, EM500, EG-800
Clie Series-All Available
Visor Series-All 5 series
Palm Series-III, IIIc, HandEra, 330, VII, VIIx,
IIIxe, IIIx, IIIe, Palm Pilot, Pilot, V, Vx, m100,
m105, m500, m505, m515, m125, m130, i705
Cell Phone Seizure
• Coming Soon…
– As well as a Cell Phone Seizure Toolkit
Q&A
Hands On!
Rick Mislan
mislanr@ferris.edu
231.591.2168