REAPER Preview

Throughout the time I have been developing REAPER, many people in more developed countries have expressed a need for a type of forensic preview ability. Maybe they do not need to take an image of every machine. Fair enough, says I.

Because of this, I have been developing REAPER Preview. It is a live CD based off of Debian Live that automatically generates a preview of the data on the system. Currently I have gallery view of various photo, movie, document, and music formats. The preview is fairly superficial with speed in mind.

Also since REAPER is focused on acquisition the ability to automatically image the local suspect drives is still there.

For this version OCFA has been replaced by the PTK front-end to TSK. It is meant to be a very light collect-and-go with some analysis capability.

As always the goal of REAPER is to be as quick and easy as possible. While Preview is not 100% automatic yet, it is by far the easiest way to preview and image a suspect’s machine to an external hard drive.

I will be singleing everything I have for this version to the svn either tomorrow or this weekend. Feel free to email me if you would like more information.

1 min read

DFRWS 2009 - Montreal

Our group in the Centre for Cybercrime Investigation gave a presentation at the Digital Forensic Workshop 2009. The submitted paper can be found here. Also another paper from Damir Kahvedzic, also from CCI, was accepted. Bam.

Currently it is day 2 of the conference, and just before the “Forensic Rodeo”. I don’t really know what to expect. The presentations and keynotes so far have been quality. They have given me lots of ideas to apply to my own research, so I guess thats the point, eh?

I think some of the concepts that have been talked about can be applied (in some shape or form) to the REAPER project, but overall the focus of the community (represented via DFRWS) seems to be on distributed forensic systems, and more intelligent ways to represent data. Some automation was talked about, but not really as much as I expected. There was also a tool closed source tool that is similar to OCFA, but I cant find the project page right now. More on that later.

~1 min read

OCFA patch level 1 released - new modules!

The ocfa team is proud to announce the first patch-level release of OCFA Version 2.2.0. This patch level was necessary to fix some bugs, including:

- rulelist issues
- 64 BIT size_t issue in OcfaModules
- configuration scripts
- nasty PPQ bug
- better error reporting user interface

Also the first steps forward to use the new mmls treemodules are made. This should open the door to a carvpath enabled version of OCFA.

New modules added:

- Thumbs.db dissector (vinetto)
- index.dat extractor (pasco)
- multipart rar (rar)
- Disk partitions (mmls)

~1 min read

Something’s missing…

The other day I was looking around, and found It is a site dedicated to finding missing and exploited children in the US. They also have a sister site ICMEC that offers the same service for international missing children. I began looking into things like the amber alert system that anyone living in the US is probably very familiar with. Since I am now in Europe I wanted to know what the equivalent service is, and assumed there would be an EU-wide database. As of yet I have only been able to find Interpol’s missing children register. Amber alert apparently has an 80% success rate.

[Update] In 2010 Ireland started talking about working on an Amber Alert system. I assume, though, this was swept under the rug with the economic troubles.

~1 min read

PostgreSql Problems on Debian

In Debian 5 when installing PostgreSQL - if /var/singlegresql/8.3/main is not created, and the conf files are not available - use the following command:

pg_createcluster 8.3 main
/etc/init.d/singlegres-8.3 start

~1 min read