Thursday, September 23, 2010

Caine v2.0 - Newlight released !

The newest version of Caine, a forensics live Linux distro, has been released. Some of the 20 new tools include MountManager, SSDeep, Air v2.0.0, Log2Timeline and a whole pile of Scripts which are accessed off the file browser. A full list of tools is available on their site.  If you use WinTaylor, the versions been updated to v2.1. Downloading the new version as I type. For the price (Open Source), it's a "must have" for your forensic arsenal. It was less than two months ago when Caine was the only toolset I could get to recognize a signficantly corrupted 500GB portable USB drive, and then carve out images, WordPerfect files, raw images, etc. Directions are available on the site for creating a USB version for a Netbook.  More to come as I try out the new features.  Download the ISO (Caine and NBCaine v2.0) here.

Wednesday, September 8, 2010

Google Voice - Call phones - lovin' the log!

I decided to give Google Voice a try - was kind of difficult to ignore the "reminder" that popped up each time I logged into a GMail account.  Here's what I learned:
- CallerID shows the originating number coming from (760) 705-8888.
- Voice quality was good.  During my tests, I spoke with a colleague and we estimated the lag as 1 second. 
- very easy to use.

Now in Googling the phone number from the call display, I noted that the prank/harassing phone calls are starting already.  So, I decided to see what I could find in terms of call history on the originating (source) computer.  Like so many programs, Google Voice leaves a log - an a nicely detailed log at that!

Location/Path:  (Copied from EnCase-USER Acct edited for privacy)    
GMail Phone\C\Users\USER\AppData\Local\Google\Google Talk Plugin\gtalkplugin-c1598929683.log.bz2

Call History from within Google Account (required to be logged in).

Inside the bz2 archive is single log file containing a wealth of information including:
- IP address of the computer used (including port). Also includes NAT'ed IP address.
- full information on the computer used, including CPU details, OS, GPU details, etc.
- date/time stamps (GMT)
- associated GMail address.
- list of all network adapters on computer and their associated IP addresses.
- reference to address "+1XXX" (XXXX - numbers from the 10 digit phone# removed for privacy)
- log is fully timestamped and appears to contain a lot more information.
- each call generated an individual log file within it's own bz2 archive.

I found the log file quite detailed.  To activate the phone feature, make a 1-1/2 minute call and disconnect, the log file generated approx 247 entries.  As much of the information was new, I imported the log file into Splunk on my MacBook Pro.  Seamlessly, the log file was parsed (with exception of a few stray lines of left-over log entries - which appear to have been created by the use of the right-square bracket.  This is the 3rd time I've used Splunk this last week - absolutely invaluable). 

Definitely more to look through......