±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36459
New Yesterday: 3 Visitors: 114

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Interrogating logs using X-Ways and HEX? – any suggestions..

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

novadonuk
Member
 

Interrogating logs using X-Ways and HEX? – any suggestions..

Post Posted: Nov 24, 06 16:10

Hi Guys, Gals.

I am conducting some research into the domlog.nsf file that is stored in the data folder of the Lotus Notes folder from Lotus v4.6.2a.

The log file consists of the following type of records.

Date: 18/12/2006 22:27:57
User Address: 255.255.255.255
Authenticated User: j bloggs
Status: 200
Content Length: 1072
Content Type: image/gif
Request: GET /mail/jbloggs.nsf/$icon?OpenIcon HTTP/1.1
Browser Used: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Error:
Referring URL: www.domain.com/mail/jbloggs.nsf
Server Address: 255.255.255.255
Elapse Time (ms): 15


I have searched for the above data in X-Ways and can see that the following characters always appear + - / when a transaction is logged. Although these characters do not appear to be a header, it was something to search by to find any other transactions in allocated or unallocated. XWays pulled back just over 6000 records which is good.

However, the bit I am strugerling with is determining if the timestamp can be associated to any part of the hex.

I can send anyone a snap shot of the hex if they are interested

Thanks, Ian.  
 
  

dodginess
Member
 

Re: Interrogating logs using X-Ways and HEX? – any suggest

Post Posted: Dec 08, 06 04:13

I'll try and get some interest started in this Smile

Are you asking about how the timestamp would be converted into HEX? From past experience time and dates (when saved into documents) are usually saved in their original ASCII format which is *then* converted to HEX, but a fairly basic file editor would usually show HEX and ASCII previews side by side for comparison.

If you want to search for dates and times in a file my advice would be to create a simple script (something like Perl or C++ would be ideal - I've no idea about X-Ways though) that would search for the pattern as it appears in the file, which might be (for a date as an example):

two sequential HEX codes that relate to the ASCII symbols for numbers

then

the HEX equivalent of the ASCII equivalent of a colon :

then

two sequential HEX codes between XX and XX

and so on.

Does that help? Are you familiar with pattern matching scripts?

Neil  
 

Page 1 of 1