crowbar Apps maintenance update 1.0.2

I dropped v1.0.2 of both crowbarDMG and crowbarKC into the automatic update feed.  Please just run the applications and choose Check for Updates or allow automatic updates to run.

This update fixes where I was not stripping the carriage return characters from windows CRLF formatted text files used as dictionaries.  It would cause the program to appear it was properly checking passwords but never find the correct password due to the extra CR character.


Cracking Filevault – vfcrack compiling on OSX

This morning I woke up a bit early in the mood to see if I could improve crowbarDMG.  I had always intended to look at the OpenCiphers project code as a replacement to my own internal password test code.  Their vfcrack code is MUCH faster than my current code.  It would just be nice to have the gui and the progress saving ability of my crowbarDMG application.

I downloaded the vfcrack and went to compile it.  Of course it had to be a pain. I would run make and get the following error.

ld: symbol(s) not found
collect2: ld returned 1 exit status
make: *** [vfcrack] Error 1

After poking around I found a fix.  Just edit the Makefile and add -lcrypto after -lssl on the LDFLAGS line.  Then just run make again.

Now the program successfully compiles.  The next hurdle is I can’t seem to get it to actually succeed in cracking a DMG test file.  So it isn’t worth changing my program till I see this code actually crack something.  I should also add I am on 10.5.7 in case that has an effect on their code.  I am testing their provided dict against their provided dmg file using my crowbarDMG as a sanity check.


Found that my crowbar app was looking like it was testing the passwords properly from their dictionary file.  Turns out their file was in windows format with end of line CR+LF.  I was just stripping off the LF.  So now I have fixed my code and should publish updates to the auto update feeds soon for both crowbarDMG and crowbarKC.

I still can’t get a successful crack from their routine.


Malware – Finding the source site

A little interesting problem popped up on the CCE (Certified Computer Examiner) mail list today.  One of the members asked for scripting help on trying to test which of a list of urls was the source of malware that infected a machine he was examining.  The examiner had setup a clean Windows XP install in vmware and would test there.  He knew what he was looking for in what it does to Windows files, registries etc.  He just needed to test a hundred or so likely urls.  In the  process of writing up my reply email another member replied with a linear batch file to do it.  So I took my looping script and added his taskkill command to produce a quick simple result.

The script reads a text file that has one URL per line, it tells IE to open using the URL and pause.  That gives the examiner time to check for the infection.  If nothing found he just brings focus back to the command line window where he executed the script and presses a key. It closes the previous IE instance and opens the next from the file.

The file of urls is referenced in the script as sites.txt and you can make the following script in a bat file.  Call it visitsites.bat for instance.

for /F “eol=- tokens=1” %%i in (sites.txt) do (
start iexplore %%i
taskkill /f /im iexplore.exe


crowbar and PGP Virtual Disk

I actually took a vacation to the beach a couple weeks ago.   Relaxing as I watched the ocean waves I decided to throw together a crowbar version to attack pgp virtual disk files.  So where is it?

It did not take me long to adapt my script attack to a crowbar version.  I did run into a big problem though and this is why I have not released crowbarPGP.  After running for about 10-15 minutes it will stop trying to mount the pgp virtual disc file. And in fact restarting the program won’t resume the attack. You cannot get it to start over till you reboot your mac.  My conclusion is that there must be some sort of memory leak in the pgpdisk command.  Hit that with a thousand attempts in rapid succession and it goes to hell.

I just don’t want to release a program version when I know its not going to be able to run to completion regardless of the dictionary file size.  I’ll catch the heat for what I feel is clearly a flaw in pgpdisk.

*Update June 5, 2009*  PGP contacted me, I sent them the materials and a video demo.  They actually said something about a thread not being released and it will be fixed.  Soon as that works I’ll release crowbarPGP.


Mac Logs – Quick Check

This isn’t something major.  But it was part of my initial playing around for checking if the clock had been rolled back.  I made this automator to see if there were any signs in system.log files of backwards date jumps.  Granted this is a real simple check.  It only looks for where the day number changes from the previous line.  Effectively showing if entries start showing up in the log files out of sequence.  I did not get into the much more troublesome checks for the month name or timestamp.  I just went after the day number.

You may need to run the archived logs from /var/log through bunzip first.  Then just examine each one in turn.  You can see the automator if you click more.  But the main snippet of code is a run script action.  It is just an awk statement.

awk ‘
$2 != prev
{diff=int(prev)-int($2); prev=$2}

Continue reading “Mac Logs – Quick Check”


Mac Forensics – Did he roll the clock back?

A week ago I was contacted by a gentleman on a mac forensics issue.   Here is the scenario.  His son is a college student in a liberal arts degree.  The student is not particularly tech savy.  He had an A average in class participation and a B average for work to date in the class.  The student had a paper to turn in, wrote it, attached it and emailed it to his professor.  The grade that came back was an F for an incomplete paper.  He had accidently attached a previous version to the email for turn in.  Upon telling the instructor the accusation was made that he rolled back the clock on his laptop to make the finished paper.  The father wants to prove his son did not roll back the clock.  The school is supposedly open to review of the grade if proof can be presented.

Here is what I put together for the father.  It is a pair of automator actions.  Read on to see what I did.

Continue reading “Mac Forensics – Did he roll the clock back?”


Mac and Sleuthkit

I love using Sleuthkit tools fls and mactime to produce a timeline for file system analysis.  But what if you are not compiler friendly and have a mac as your forensics workstation?  Here is the quick and easy way to get Sleuthkit installed so you can run it against raw disc images.

  1. Get macports from  It is a simple install from dmg.
  2. Once installed, get a terminal session opened.
  3. execute the command: sudo port -d selfupdate
  4. execute the command: sudo port install sleuthkit

It will take a while for sleuthkit and all the dependancies to install.  Once done you should be able to do “man fls” and “man mactime” to see the manual pages for the tools and start using them.


Fun with forensic timeline analysis.

Tonight I was working on the Sans SEC508 Forensics day 6 challenge.  For fun I wanted to see if I could easily filter out all timeline entries where the file involved was over a certain size.  The body file was made within Autopsy.  Then I went to the output folder and did my own commands.  

I told mactime to output to csv so the columns I would be putting through awk would be consistent.  Then I fed it through awk with a variable defined for the minimum size I wanted to filter on.  What I get out is all entries after the desired start date where the file size was the minsize or larger.  Handy for looking for someone dropping on their own large tarballs etc to put in rootkits and other fun code.

mactime -d -b body -z CST6CDT 2000-11-07 > timeline.csv

cat timeline.csv | awk -F’,’ -v minsize=”100000000″ ‘{if ($2>=minsize) {printf “%s\n”, $0}}’