Show and Search for NTFS Owner in EnCase

Windows can be such a weird and wonderful thing, both at the same time. In a digital forensics sense, the artifacts left behind from user activity often give me delight. The same artifacts can often leave me scratching my head about why it exists in the first place. One of those features is the owner property in the NTFS file permissions.

User Activity

When a user creates a file, Windows typically drops that user account as the named owner of that file in the NTFS permissions. Sometimes, it assigns a local user group (say administrators) instead of a specific user, though I do not know the details of conditions surrounding that difference. Not the point of this post anyways.

To steps to see the owner of a file will vary a bit depending on the version of Windows you are using. The artifact itself is not affected by the version.

In Windows 8, right click on the file and choose properties. At the top, switch from the general tab to the security tab. Then, click the advanced button at the bottom. A new window will show, and the owner is listed near the top.


Showing in EnCase

To see the very same data in EnCase is fairly straight forward. Choose a file in the table pane. Then in the view (lower) pane, you will see a tab called permissions. The view will switch and list one of the records as the owner.


Forensic Usefulness

As you might have noticed, the file system in the above image looks a lot like a CMS package on a web server. If you did, great eye! Web servers use a specific account to access and store content for the anonymous users that make requests. This user account is assigned permissions on the file system to prevent that anonymous user from going where they aren’t allowed.

Some web applications allow those anonymous users to upload files to be used by the web application or even submitted to the company for some purpose. Because the web server user account is used for these interactions, you will find that user account as the owner for any files that were uploaded through the web application.

In the event of a web server compromise, this web server user account is often the early stages of attackers interacting with the computer. Attackers want to get their files into that file system to allow more control. These are called web shells and offer nearly identical functionality to the typical remote access tool category, only through a website interface.

What if we could get EnCase to display all files that are owned by this web server user account? I am glad you asked!

Filtering in EnCase

EnCase offers conditions and filters to limit the files shown on screen. Simply put, conditions are easier to create (point and click) while filters are hard (type EnScript code). I will show you the steps to create a condition that will show you only the files with the prompted value in the owner field. This can be done in EnCase v5 through v8 and the windows will look nearly identical.

First step, find the conditions tab and create a new one. I name mine “find sid as owner”, but you can call it whatever makes sense to you.

Next, we have to create a mini-filter before the condition can function. Go to the filters tab, then double click on the PermissionRoot option on the right. Name it “prm_sid2owner”.

Add a new term. Choose ID in the properties list, choose find in the operators list, leave the value box empty, and check the ‘prompt for value’ checkbox. Click ok.

Add another new term. Choose property in the properties list, choose matches in the operators list, type ‘owner’ in the value box. Click ok.

Now right click on the ‘main’ at the top of the tree and choose change logic. Click ok. You should see ‘prm_sid2owner’ listed on the left.


Now, go back the conditions and add a new term. At the bottom of the property list, you will find the mini-filter we just created.


Now you can apply this to your case. You can supply a fill SID value or a partial. You can also give a list of SID values to search for if you were looking for multiple users.


Hope this helps! Reach out with any questions or comments.

James Habben

Show Your Timezone in X-Ways

I posted earlier about how to enable EnCase to show the timezone for all of the timestamps that it displays. I wanted to follow that up with a post on how that can be accomplished with X-Ways Forensic (XWF) as well.

Showing Your Timezone

This is a pretty simple one. Don’t do anything. The default setting already has the timezone offset displayed with times. Well, you have to do one small thing, and that is to expand the column. XWF has it displayed in a slightly greyed color and all you have to do is make the column wider to show it.


Setting Time Zones

I haven’t done extensive testing on this, but it seems that XWF is similar to EnCase in that it takes the timezone setting of the machine your are running on to use inside the case.

To change that setting, use the ‘Options’ menu and select ‘General Options’. In there, you will find a button at the button at the bottom of the window for ‘Display Time zone…’. Click that.


Once you have that window open, choose your timezone and click OK and OK.


Edit: Jarle gave me a couple more ways to change the timezone.

You can set the timezone with a right click at the top of the case tree in the Case Data window on the left of the screen. Choose the ‘Properties…’ option.


On that window, you have two options. Set the timezone for the entire case (orange arrow), or unlock the option (pink arrow) to set the timezone for each evidence file or even for each partition of each evidence file.


If you check the box, then you do another right click > properties on each item you need to change the setting for and you will get this window.


Thanks for reading!

James Habben

Show Your Timezone in EnCase

A question came up on my team about how to adjust time zones on evidence in EnCase. I figured I would put together a short post in case it might help others.

Setting Time Zones

When you start a case with EnCase, it grabs the timezone that is currently being used by the workstation you are running it on. All of the evidence that you bring into that case is assigned that same timezone.

You can apply a timezone change at a couple levels. First, directly to an evidence file. Second, to multiple evidence files. In EnCase v6, you open a case directly to whats called the ‘entries’ view. Entries are a generic name given to refer to any object inside an evidence file such as files, folders, alternate data streams, NTFS meta files, partitions, etc. even including the evidence file itself. Starting in EnCase v7 (and carried into v8), you are dropped in the ‘evidence’ view and must interact with that list in order to enter the ‘entries’ view. Whatever version you are using, go into the entries view.

To set the timezone, decide if you want an evidence specific or global change. Then right click on the evidence name or the ‘entries’ item at the top of the tree. Towards the bottom find the ‘Device’ sub-menu, then choose the ‘Modify time zone settings…’ option.


A small window will pop up to show the list of time zones that EnCase has available. If you are examining a computer that isn’t properly patched with the current Daylight Saving Time setting, you can force that.


Click OK, and the times showing in EnCase will all be adjusted without having to do anything further.

Showing Your Timezone

I encourage everyone reading this to update this setting. Digital forensics requires us to be very accurate and specific. It tells EnCase to attach the timezone setting to every date that is displayed. It has saved me from a situation of reporting an incorrect time more than once. After changing this setting, your dates will look like these. I typically keep the columns smaller and only expanded the ‘Last Accessed’ field to show the full value.


To make this change, find the ‘Tools’ menu in the bar at the top, and choose the ‘options’ option. Then click on the ‘Date’ tab. Check the box at the top of that tab page.


Thanks for reading!

James Habben

Living with a Credit Freeze

Brian Krebs published an article “How I Learned to Stop Worrying and Embrace the Security Freeze” in 2015. I decided to embark on that journey as well, although my laziness caused the onset of that journey to be staggered longer than it should have. I have had freezes in place for quite a few years now, and I wanted to share my experiences for each of the major bureaus.


First, I want to say that it is very surprising, even to this day, to see the staggering number of companies (that deal with pulling credit reports or scores) that have never heard of a credit freeze. There are so many places that want to run your credit, from as simple as getting electricity turned on and all the way to getting a home mortgage. I feel like I have been more of an educator to that industry than anyone else!

Some have heard of a freeze, and are very curious to ask questions about it. It feels almost like being a celebrity with questions like “what’s it like to have a freeze?” (no joke). Others have heard of it and straight up dismiss me because they claim to have no ability to handle the freeze except for me having to unfreeze and then refreeze when they are done. Many of them think it is so simple and free (it’s not), so they just expect you to take that on. One company straight up refused to work with me at all until there was no freeze on my credit.


The current situation has no standards on how these credit freezes should work. There are some various state laws that define how much the bureaus can charge to place a freeze, but there is nothing in those laws to define the process. Each of the three major bureaus does things slightly different.

In general, you visit the web portal for each bureau and supply enough personal information to identify yourself. Stuff that really wouldn’t be hard to assemble about a target victim for those inclined to that side of morals, but that’s another rambling for another day. After validating you know enough about someone yourself, you pay some amount of money to place the freeze. After that clears, you get a PIN code. Equifax gave me a 10 digit, Experian gave me a 10 digit, and TransUnion gave me a 6 digit. These numbers have different uses depending on the bureau.

In general, I haven’t had problems with the companies knowing who they use to pull credit history. They are willing to discuss and work with me when I explain that I have a freeze and the reason for the freeze. Sometimes, they have to pass you off to a different person who is the one responsible for performing the task.


I want to start with this one because it is the one I have held a freeze with for the longest, and it seems to be the most popular credit bureau with the companies I have interfaced with.

For those companies that were willing to work with me, it has been the absolute smoothest of all three bureaus. I store the 10 digit PIN in my KeePass database, and I can give this number to the company looking to pull information about my credit history. Simple as that. Later, I can go onto the Experian web portal to change that PIN. The process is similar to when you first place the freeze in supplying enough personal information to identify yourself.

I had to unfreeze with Experian one time when a company absolutely refused to accept a PIN to process the transaction. It cost me something like $20 to schedule an unfreeze followed by a refreeze after so many days.


I list this one next because it has been the next easiest to work with in pulling credit history. The PIN you get from them is only to use when interacting with the web portal, so supplying this PIN to a company seeking your credit info will come back with a refusal based on being a wrong number. In fact, the PIN you receive as a part of the freeze process is a 10 digit, and the creditor company is prompted for only 4 digits – an obvious mismatch.

The code required by those companies has to be generated each time, but the best part is that Equifax doesn’t charge for creating these codes. The downside is that you need to login to their web portal to generate them, so you have to be more prepared. You can create a global temporary lift for a time period or a temporary lift for a single company. When doing a temporary lift for a single company, the portal asks you for the company name seeking your credit, but funny enough they only allow you to type 9 characters in that box. It seems that the name is more of a note for reference later than it is as a part of the validation. The other thing is asks you for is that 10 digit code you received when placing the freeze. At the end of that process, you get a link to open a PDF file that contains a 4 digit single use code. Give that to the company running your credit and it will go through, even immediately within minutes of generating that code.


I put this one last because I wasn’t able to figure out a way to have a temporary lift without having to pay some amount of money. I have had to login to the web portal to place a temporary lift. They charged me $10 and it didn’t matter if it was a global lift or a specific company lift.


I have lived with these credit freeze for many years, and it has allowed me to have a little more peace in light of the world I live in. It sets a much higher wall in front of my metadata and I can deal with the occasional hassle that I described above.


I hope this helps you. I encourage you to look at getting a credit freeze to protect yourself.


James Habben


Reputations and PCI Data Breaches

The natural human reaction to reading a company’s announcement about a Payment Card Industry (PCI) data breach is to declare a boycott against this company. How dare they be so nonchalant and careless with my handling our information? This reaction appears to be common when you read news articles about this very topic.

“87 percent would not (or were not very likely to) do business with a company that had faced a data breach”

The public fears a data breach because the majority of people out there have no idea what that actually means. I am sure all of you in this ‘cyber’ community get these questions constantly from friends and family about how these things can happen. I certainly do.

I am going to put myself out there though and make a fairly bold statement:

A PCI data breach is good for a company

The Priorities

I provide advisory and investigative consulting to companies from Fortune 1 to Fortune 5839827495, and there is a theme that I see from the top to the bottom. The companies that have experienced data breaches have stronger information security (InfoSec) programs as a result.

Almost every company I engage with asks me “How does my security team compare to other companies in my industry?” and this is the biggest problem. The business side of these companies are all about keeping up with or getting ahead of competitors in their field. If everyone across your industry jumps off a bridge, would you jump also?

The priorities of an InfoSec program should not be driven by others. This needs to be driven on internal needs and deficiencies. There are tons of ways to push this forward, however this isn’t the point of this post. The business side has a hard time allocating money to these priorities because most InfoSec program leads aren’t able to speak the right language.

The Breach

Enter the PCI data breach. This demands immediate attention that cannot be ignored by the business. It also spins up a lot of resources with enormous costs.

Some costs not always seen by an outsider to the breach investigation:

  • outside legal counsel / breach coach
  • public relations firm
  • PCI mandated investigation firm known as PCI Forensic Investigation or PFI
  • another firm hired under legal privilege
  • travel and accommodations for employees and contractors
  • software and hardware to support investigation
  • extra online storage costs to preserve data on-prem and cloud
  • extra instances of computers to offset loads
  • premiums for expedited services with vendors

These all typically happen before any public notification of the breach is made.

The Announcement

Once you read about a PCI data breach in news stories, there has been an army of people working on this breach. The InfoSec focused expertise involved can easily be 10x or 20x multiplier of the team that is normally employed for this role in calmer times.

The public thinks:
“Oh no, I am never shopping there again. I don’t want my data stolen.”

In reality, this is the safest that network has ever been. There are tons of people looking over every possible problem. The affected company is getting a massive overload of recommendations on how to improve. It will also be under heightened scrutiny by the public and any regulatory bodies they are involved with, namely PCI for one.

The Response

We have worked with customers on post breach projects that have taken a 5 year timeline down to as little as 6 month. Money comes raining down from the top. Many times, the PCI breach uncovers less than ideal practices in other aspects of the infrastructure as well.

Some go on to really make a huge difference:

Of the causes for breaches that I have seen, almost zero of them were ultimately a surprise. It is usually a weakness as a part of some aspect where a project exists to address. The InfoSec teams working for these companies do well to identify the improvements that are needed. It has never been due to laziness or lack of knowledge.

Breaches are Good

Companies are collecting more and more data about us. I prefer seeing breaches of PCI data over even more personal data or intellectual property. Although it is a costly incident, the damage done can be fixed relatively well.


Let me know what you think of breaches.

James Habben

Evolve Version 1.6


New features in #EvolveTool!


The new part of this feature is the HTML to outline all the various URLs that can be used to interact with Evolve. They have mostly been there in the background already, although a couple of the URLs are new. These URLs give the ability to have Evolve work in a sort of headless mode. You can use any scripting language that can GET or POST. The return data is in JSON format.


Plugin Search

The plugin list for Volatility commands keeps growing thanks to the great support by the core dev team and all the gracious developers in the community. I’m sure the annual contest giving away money had no part in it either. Anyways, I figured it would be helpful to have the ability to run a quick search over the plugin list where you can type a part of what you are looking for. It doesn’t support any fancy matching though, and just puts wildcards in front and behind whatever you type. It searches while you type and you can use [ESC] or click the X to the right to quickly clear the box.

Try typing ‘dump’ and you will get a list of those plugins that Evolve doesn’t yet support:


Teaser: Volatility Command Line Options

Speaking of Volatility plugins that aren’t supported in Evolve, I was able to dig into the Volatility core and determine where those options are stored in Object Oriented (OO) data structures. You will see a couple new URLs listed in the API doc that take advantage of this new found knowledge.

The first is a list of all the default options that Volatility has. You can see those by running ‘ -h’ in the shell, or accessing the API here:


The second builds on the above URL to get more specific options that any of the plugins are allowed to add into the list to accept during processing. You can display the full collection of options with the plugin specifics listed at the bottom with ‘ dumpregistry -h’ or you can get only the specific options that each plugin adds by accessing this API:


Some Background

I originally took on the project of making Evolve to learn Python. I wanted to build something that required research and learning, and something that would make me stretch. I could have written this project in any language and just made calls to to get things running. I’ve seen many of these projects pop up over the years and they work great. I decided to fully integrate with Volatility to better learn Python and have more power and control over how I hand off processing jobs. That decision has caused some headaches, so I try to share the solutions when I can.

The challenge in here is that Volatility uses a library for parsing command line options that is built into Python. This setup works great for the scenario that Volatility is typically run, at a command prompt, where the user has to supply all those parameter names and values up front. It doesn’t make it so easy to fetch a list of the various options any of the plugins might want to take advantage of because those options aren’t built into OO to just get.

The plugins written for Volatility interface with optparse to add in the recognition for the short and long parameter designations. The optparse object is a member of Volatility’s ConfObject class, but not really integrated.

To get to the list of default options is pretty straight forward. You have to build a ConfObject anyways when integrating with Volatility, and the default options all come along as it is built.

To get the options that any of the plugins add on top of the default, you have to utilize the ConfObject again, but as a parameter when initiating the plugin of choice. The result is a full list of all the options that are now available, including those earlier found default options. You have to do the work of differentiating the newly added from the defaults. To prepare for doing this, I created a second ConfObject and pulled the new list in.

The next challenge is the structure of the options being held in the optparse object isn’t really straight forward. The items are not provided in a list, so you can’t do much with them as they sit. Fortunately they are iterable, so that allows for Python to use in as a collection in a for loop. You can see the debug view getting to one of these options here:


I chose not to deal with all of those properties since I don’t think the Volatility plugins have that much ability to manipulate, but I will doing some further testing on this. If there are more properties that are needed in Evolve, they are fairly simple to add into the JSON return at this point.

After grabbing the handful of properties into a dictionary, I stuff that dictionary into a tuple. You can read more about the differences since I won’t go into that here. The tuple made it easier to work with, and I don’t have the need to change that object.

With a tuple of options from two ConfObjects, I could now determine which of those options were added by the provided plugin. Now I had to repeat that process for every plugin available in Volatility, and I am very thankful for loops and automation.

Check it out on GitHub.

I hope you find these new features helpful, and the upcoming features exciting. Please reach out if you have any questions or feature suggestions for Evolve.

James Habben

Malicious USB Devices

I put together some slides over a year ago after working several cases involving suspicious USB devices. The slides cover some studies that threw USB devices on the ground, and a couple scenarios from the Verizon Data Breach Digest (shameless promo). There is a lot of significance in these links, and presenting these slides has shown me that this threat is very widely underappreciated.

We, and InfoSec and even more specifically as DFIR specialists, are not immune to an attack conducted through a USB device. Some of us hold a more traditional stance that the forensic workstation remains unconnected from any network connection, but this is an increasingly difficult stance to hold in more recent years. The source evidence drives are getting larger and larger, and this is forcing examiners to take advantage of network storage solutions. We are also seeing many tools with increasing reliance on network for collection and analysis through integrations with other products.

I worked with some others on my team to develop a forensic methodology that has been tried and true. It gives us the best chance of preserving any data that may exist on this USB device and protects our forensic infrastructure from any potential attack. I am putting this methodology in this blog post in an effort to get it out to a wider audience than the folks that have sat through one of my talks. You can see a video from BsidesSLC if you would like, or feel free to contact me and I would be very happy to head out somewhere to give the talk live.

The High Level Methodology

  • Collect image
  • Collect volatile data
  • Analyze file contents
  • Analyze volatile data
  • Collect firmware

The Methodology Steps

  1. Collect Image
    1. Physical machine
    2. Linux forensic boot cd
    3. Hardware USB write-blocker
    4. dd, dcfldd, linen, etc
  2. Collect Volatile Data
    1. Physical machine
    2. Windows OS – Small HDD, forensic wipe (0x00)
    3. Software USB write-blocker
    4. Collect before images: HDD & RAM
    5. Prep volatile collection tools & scripts
    6. Start PowerShell diff-pnp-devices.ps1*
    7. Insert USB, wait for a minute
    8. Finish diff-pnp-devices.ps1
    9. Finish volatile tools & scripts
    10. Collect image: HDD & RAM
  3. Analyze File Contents
    1. Automated AV scans
    2. IOC Searches
    3. File format specific tools
  4. Analyze Volatile Data
    1. Compare disk images
    2. Compare RAM images
    3. Review new devices from diff-pnp-devices.ps1
    4. Look for evil
  5. Collect Firmware
    1. Only needed if device has additional device
    2. Identify controller chip – ChipEasy
    3. Acquire correct tool to dump firmware
    4. Reverse engineer firmware

The PowerShell Tool

The script mentioned in this methodology is in my GitHub. It does a very simple thing.

  1. Get a list of PnP devices
  2. Wait for user to continue after inserting USB
  3. Get another list of PnP devices
  4. Compare the two lists and print the differences


These USB devices can do a log of damage, and I continue to see a lot of very surprised faces during my talks. It is a real threat (Stuxnet!) and it needs to be accounted for in your incident response.

Here are the slides with a bit more information, and please reach out if you have questions.

James Habben