Spreading Out My Skills:
Fun with Spreadsheets

I had an opportunity to improve my spreadsheet skills last night while helping my wife on a project.  It's not hard for me to improve in this area because up until yesterday, spreadsheets were just a convenient way to open and sort CSV documents from forensics tools.  But, I learned some averaging and summing techniques, and more importantly, conditional statements and conditional formatting.  What's that got to do with forensics, you might ask?

I've written and/or used plenty of tools that produce CSV output.  Let's take a an SMS output, as an example.  Often, a particular phone number is the target of an investigation, and spreadsheets make it quite easy to sort on a column of data, such as the phone number.  So, in a few clicks, you've got the target number nicely grouped for review.

But, the more investigations I do, the more I've come to realise that good intelligence and investigation reads between the lines--not in a 'make up your own interpretation' sort of way, but looking to see what else was going on in the phone, computer, browsing session, etc., to give the target data proper context.  Conditional formatting can really help here.  It allows you to easily visualise the target data while at the same time seeing it in context.

OK, now I have your interest, but you really don't know what I mean by 'conditional formatting.'  Simply put, conditional formatting changes the look of a spreadsheet cell based on the content of the cell.  It is automated, rules based process; you set the rules, the spreadsheet formats the cells according to the rules.  Taking our cell phone SMS output as an example, you could create a rule  that changes the color of a cell based on the the phone number in the cell.  Thus, you can easily find your target, but still see it in context.

I'll use the spreadsheet in Google Docs as an illustration for setting up a conditional format:

1. Sweep the cells or select the column to which you wish to apply the condition.
2. Right-click in the selected area and choose (you guessed it) 'Conditional formatting...'
3. Set the rule according your your specifications.  That's it... really!

Your options may not seem like much at first, but you can specify more than one rule for the cell selection.  If the condition for one or more of the rules is met, then the text and background color selections your make are applied to the cell.  Conditional operators are:

Now, I also mentioned conditional statements.  These are statements that act on the data itself, not the cell format.  When would you want to change the data in a forensics investigation?  Well, how about this:

You are not a SQLite giant, but you know how to use your favorite GUI SQLite browser to export a table as CSV.  The SQLite table represents 'Sent' messages as '0' and received as '!'.  You'd like to render those values in their text equivalent for easy reading.  Sound like a possible scenario, yet?

OK, you've bought into the idea, but how do you do it?  Well, spreadsheets offer and 'if' statment that takes three arguments, and if, then, else clause if you will.  In our case, we would want the expression to read "If the value is zero, replace it with 'SENT', otherwise replace it with 'RECEIVED.'"  The expression looks like:

IF(test, then_value, otherwise_value)

The formula for our example in your spreadsheet might look like this, then:

=IF(B2=0, "SENT", "RECIEVED")

You can easily apply this formula to each successive cell, automatically changing the cell address for the appropriate row, by clicking the cell with the formula, grabbing the handle on the lower right corner of the selection box, and dragging to to the end of your column.  If statements can even be nested to make more that two possible outcomes:

=IF(B2=0, "SENT",(IF B2=1, "RECEIVED", "UNKNOWN"))

In the statement above, cell B2 is tested for 0, if the condition is met, then it is replaced with "SENT."  If it fails the text, then the "otherwise" value is another IF statement: if B2 is 1, then replace it with "RECEIVED", otherwise replace it with "UNKNOWN."   It is possible to have multiple nested if statements.

Who knew spreadsheets could be so much fun?  I even hear they do math!

SINF Structure

I spent some time decoding the SINF files that I discussed here, thanks in great part to a link sent to me by a colleague (Thanks, Derrick).  Here are my findings, to date:

Unlike iTunes Purchased MP4 media files, the SINF does not contain the iTunes user account name, which is most often their email address and most useful for contacting owners of stolen devices.  Instead, you are limited to the iTunes user's name and iTunes ID#.  Short of a search warrant or subpoena, Apple is not going to reveal the owner's personal information, though they have contacted owners on my behalf in the past.

Please review the data in the table and compare with your findings, if you are so inclined.  Post a comment if you have more insight, find an error, or can confirm any of the information.

iOS .sinf Name Calling

In my ever present quest to identify the true owners of stolen iPods, I made discovery in iOS while examining a Touch that may be probative: the app .sinf files found in the /private/var2/Applications sub folders.  According to File-Extensions.org:

The SINF file extension is associated with applications for Apple iOS operating system that is used in Apple iPhone, iPad and iPod Touch. File contains information about digital rights that are applied in application. The SINF file is stored in an IPA iOS application archive.

I found that by searching the ../Applications directory for .sinf files, and then grepping for the term "name", the Apple Store real name associated with the app can be discovered.  On the Linux command line, this can be accomplished very quickly with:

$ find private/var2/Applications -name "*.sinf" -exec strings -f {} \; | grep name

Modification dates for the files can be used to create a timeline of activity for the device and perhaps demonstrate when new residents moved in, so to speak.  The find command can by used with stat to quickly provide a list of date stamps:

$ find private/var2/Applications -name "*.sinf" -exec stat {} \;

But, even better, you can put it all together in a fairly simple command and create csv output for examination and sorting:

$ find private/ -name "*.sinf" | while read i; do name=$(strings "$i" | grep name); date=$(stat -c %y "$i"); echo -e "$i,$name,$date"; done

It appears from content that I have uncovered in a suspected stolen device, that the real name of the Apple Store account used to install the app is embedded in the .sinf file at the time of installation.  If this is the case, a stolen device, though it have the device name changed and the true owner's data deleted, may still have applications that were installed with the owners Apple Store account! 
 
Testing still needs to be done for verification, and I don't currently have any test devices to properly test.  If you are able to conduct any validation studies, please comment on this post with your findings.  I'll amend this post once I'm able to conduct my own studies or receive reliable findings from others.

iPod's, what's in a name?

iPod Device Names

iPod devices have a name.  It's set by the user when they initialize the device through iTune's (there are alternate initialization methods, but that is not the focus of this post).  When the focus of the investigation is determining the device owner, the device name is a good place to start.  The device name, for example, could be "John Doe" and you happen to know who is John Doe, or how to find out. 

Of course, the device name could be 'Pookie', which won't help you out too much.  But, don't give up, I've already demonstrated another, even more useful, method for identifying iPod owners through iTune's purchased media.  Take a look here if that interests you.

But, I got curious, where in the iPod can you find the device name?  It's clearly stored on the device, because, as any iPod owner can tell you, if you navigate from the main menu to the 'About' screen in 'Settings', you'll see something akin to "John Doe's iPod."

Where to Look

The first place to look in a FAT formatted iPod is the volume label of the data volume (aka partition).  The current device name is the volume name.  You can view it with blkid, or for the forensically inclinded, with the sluethkit at the root level.

I'll use recent 5th gen Nano I recently examined as an example.  I am operating as root because I am examining a device directly:

# blkid /dev/sdd1
/dev/sdd1: LABEL="PINK PANTHE" UUID="E0B8-3334" TYPE="vfat"

# fls /dev/sdd1
r/r 3:    PINK PANTHE (Volume Label Entry)
d/d 5:    iPod_Control
...

Now, I'm fairly worldly (all my friends are now rolling their eyes), but I suspected when I check Settings | About, the device name on this Nano, I'd find the device name was 'Pink Panther', not the truncated 'Pink Panthe' that was in the volume, which has a limit of 12 characters.  And sure enough, that's what I found: 'pink panther.'

So, if the 'r' in pather isn't in the volume, then the volume is not the source of the data in the About screen.  So, what is the source?  Turns out, after mounting the device read-only and employing my favorite keyword search utility (more on that one later), the source turns out to be the 'Library.itdb' SQLite database in the 'iPod_Control/iTunes/iTunes Library.itlp/' directory.

I found the table in which the device name resides as follows:

# sqlite3 '/media/iPod/iPod_Control/iTunes/iTunes Library.itlp/Library.itdb' .dump | grep 'pink panthe'

INSERT INTO "container" VALUES(-3226555229562403833,0,333435002,347345556,'pink panther',100,0,1,0,1,0,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);

What I did there was dump the table contents, which shows the commands that were issued to create the database and populate it.  The dump, when saved to a file, can be used to backup and restore a database.  For my purpose, I see that a list of values, including 'pink panther' was inserted into the 'container' table.

Now, I can produce a nice query that can be used in future examinations to directly recover the device name from the Library.itdb database:

# sqlite3 -line '/media/iPod/iPod_Control/iTunes/iTunes Library.itlp/Library.itdb' 'select name from container'
 name = pink panther

Now I have two sources for the device name in a FAT formatted device.  And, the database query can be used for HFS formatted iPod Classics, presumably.  Combine that with the media search for Apple Store account and real name information, and even an unallocated search for MPEG-4 metadata (next post), and you have a robust, though not fool proof methodology for identifying iPod owners.

Whose iPod?

iPods, iPods, everywhere...

...Which means they are frequently lost or stolen.  ...Which means they end up in my office with a request attached stating, "Can you please try to figure out who owns this?"

Device Name

iTunes, the principal means for managing iPod content, allows users to name their device.  Usually, owner's put their names, like 'John Doe,' so the the device is reported in iTunes as 'John Doe's iPod.'  In a fat32 formatted device, like an iPod Nano, the device name is recorded as the volume label. 

When it comes to linking the device to owners, though, the device name is seldom enough.  'John Doe' might be too common a name, not listed in the phone book or in your records management system.  Worse, the device name might be 'Wookie'.  What then?

What Apple Doesn't Tell You

The Apple Store, commonly known as the iTunes store, sells media for playback on the device.  Music and Video are popular purchases, and are sold in the MPEG-4 format with file extensions of .m4p (music) and .m4v (video).

The purchaser of this content has to create and use an Apple Store account.  For quite some time, the account name is the user's email address.  Users provide there real names as part of the creation process, which is necessary for credit card transactions.  Very standard business practices, nothing nefarious here.

The slight of hand comes on download (well, it would have to occur before download for you precise-types).  The Apple Store account name and the purchaser's real name are embedded in the media file!  MPEG-4 files contain metadata (data about data) such as the Artist, Title, Album, even album cover art.  The metadata takes the form of key:value pairs, often referred to as 'atoms.'

Where to look

The atoms 'name' and 'apID' contain the purchasers real name and account name (email address) respectively.  However, no tools I am aware of automatically display this content.  The excellent exiftool by Phil Harvey will display the account name (apID atom, i.e., email address) but not the purchasers real name. 

While Harvey's tool is excellent, it just doesn't do to run exiftool against every media file on an iPod.  First, not every media file is an MPEG-4 with Apple Store metadata.  iTunes allows users to convert their existing mp3 and CD collections to MPEG-4, for example.  These media files take on the .m4a file extension and do not contain purchaser information.  Nor do .mp3s, for that matter.

When I'm in a hurry, which is most of the time, I resort to a straight forward, compound command:

$ find /media/iPod/iPod_Control/Music -type f -name "*.m4[pv]" | while read i; do strings -f "$i"|grep -E -m1 'name.+'; strings -f "$i"| grep -E -m1 -A2 'apID'; done

Am I out of my flipping mind?  No.  That really works, works well, and works really, really fast.  Should I explain it?  No, not unless you really want me to.  The output looks like this:

/media/iPod/iPod_Control/Music/F49/PFLT.m4v: nameJohn Doe
/media/iPod/iPod_Control/Music/F49/PFLT.m4v: 8apID
/media/iPod/iPod_Control/Music/F49/PFLT.m4v: 0data
/media/iPod/iPod_Control/Music/F49/PFLT.m4v: jdoe@email.com

/media/iPod/iPod_Control/Music/F49/QQDN.m4p: nameJohn Doe
/media/iPod/iPod_Control/Music/F49/QQDN.m4p: 8apID
/media/iPod/iPod_Control/Music/F49/QQDN.m4p: 0data
/media/iPod/iPod_Control/Music/F49/QQDN.m4p: jdoe@email.com

Pretty?  Maybe not.  Does it answer the question of what is the real name and email address of the media purchaser?  Yes.  And did I mention, really, really fast?

I'm aware that some people might like or need nicer output for a report of some kind.  I wrote a bash script , called iphone_music that works with exiftool to produce nice output:

======== /media/iPod/iPod_Control/Music/F49/PFLT.m4v
File Type                       : M4V
Apple Store Account             : jdoe@email.com
Apple Store Account Type        : iTunes
Apple Store Real Name           : John Doe
 
======== /media/iPod/iPod_Control/Music/F49/QQDN.m4p
File Type                       : M4P
Apple Store Account             : jdoe@email.com
Apple Store Account Type        : iTunes
Apple Store Real Name           : John Doe

Iphone_music is also quite fast and uses the same basic methodology as the find command first demonstrated.  Additionally, it can tell you the names, artists, albums, etc. of other media on the device for instances where the owner has no purchased media on the device but can describe the media on board (e.g., .mp3, .m4a).  You may have noticed from the paths of the media files demonstrated, iTunes does not name the files after their content.

Iphone_music can be vastly improved, such as sorting by artist, email, owner name, etc, and I'll likely rewrite the tool in python to facilitate implementing these features.

Final Note (pun intended)

The methods detailed here work on mounted file systems and allocated files.  It is possible to find the real name and email address on devices where the media files have been deleted by the iPod thief / finder.  I won't detail the process here, but it involves using the Sleuthkit to pipe unallocated space to strings and grep for the name and apID atoms.  Another method, though slower, would be to use photorec or another file carving tool to recover MPEG-4 files an then use the methods above to search the recovered files.

Unoconv is number one!

I discussed a recent case where I was seeking Enhanced Metafiles and discovered that LibreOffice could be used to open and view them (see, LibreOffice: An Unlikely Image Viewer).  I mentioned at the end of that post that unoconv could be used to automate the process of taking the difficult to view EMF files and convert them something very portable, like PDF.

Today, I actually undertook that task when carving form EMF files produced over 1000 files to be examined.  Doing so exposed me to the full capabilities of unoconv, and I'm quite excited about the possibilities.

What, exactly is unoconv?

From the man page: "unoconv is a command line utility that can convert any file format that OpenOffice can import, to any file format that OpenOffice is capable of exporting."  This begs the question: what can OpenOffice (or LibreOffice) import and export?  Glad you asked:

$ unoconv --show

The following list of document formats are currently available:

  bib      - BibTeX [.bib]
  doc      - Microsoft Word 97/2000/XP [.doc]
  doc6     - Microsoft Word 6.0 [.doc]
  doc95    - Microsoft Word 95 [.doc]
  docbook  - DocBook [.xml]
  html     - HTML Document (OpenOffice.org Writer) [.html]
  odt      - Open Document Text [.odt]
  ott      - Open Document Text [.ott]
  ooxml    - Microsoft Office Open XML [.xml]
  pdb      - AportisDoc (Palm) [.pdb]
  pdf      - Portable Document Format [.pdf]
  psw      - Pocket Word [.psw]
  rtf      - Rich Text Format [.rtf]
  latex    - LaTeX 2e [.ltx]
  sdw      - StarWriter 5.0 [.sdw]
  sdw4     - StarWriter 4.0 [.sdw]
  sdw3     - StarWriter 3.0 [.sdw]
  stw      - Open Office.org 1.0 Text Document Template [.stw]
  sxw      - Open Office.org 1.0 Text Document [.sxw]
  text     - Text Encoded [.txt]
  txt      - Plain Text [.txt]
  vor      - StarWriter 5.0 Template [.vor]
  vor4     - StarWriter 4.0 Template [.vor]
  vor3     - StarWriter 3.0 Template [.vor]
  xhtml    - XHTML Document [.html]

The following list of graphics formats are currently available:

  bmp      - Windows Bitmap [.bmp]
  emf      - Enhanced Metafile [.emf]
  eps      - Encapsulated PostScript [.eps]
  gif      - Graphics Interchange Format [.gif]
  html     - HTML Document (OpenOffice.org Draw) [.html]
  jpg      - Joint Photographic Experts Group [.jpg]
  met      - OS/2 Metafile [.met]
  odd      - OpenDocument Drawing [.odd]
  otg      - OpenDocument Drawing Template [.otg]
  pbm      - Portable Bitmap [.pbm]
  pct      - Mac Pict [.pct]
  pdf      - Portable Document Format [.pdf]
  pgm      - Portable Graymap [.pgm]
  png      - Portable Network Graphic [.png]
  ppm      - Portable Pixelmap [.ppm]
  ras      - Sun Raster Image [.ras]
  std      - OpenOffice.org 1.0 Drawing Template [.std]
  svg      - Scalable Vector Graphics [.svg]
  svm      - StarView Metafile [.svm]
  swf      - Macromedia Flash (SWF) [.swf]
  sxd      - OpenOffice.org 1.0 Drawing [.sxd]
  sxd3     - StarDraw 3.0 [.sxd]
  sxd5     - StarDraw 5.0 [.sxd]
  tiff     - Tagged Image File Format [.tiff]
  vor      - StarDraw 5.0 Template [.vor]
  vor3     - StarDraw 3.0 Template [.vor]
  wmf      - Windows Metafile [.wmf]
  xhtml    - XHTML [.xhtml]
  xpm      - X PixMap [.xpm]

The following list of presentation formats are currently available:

  bmp      - Windows Bitmap [.bmp]
  emf      - Enhanced Metafile [.emf]
  eps      - Encapsulated PostScript [.eps]
  gif      - Graphics Interchange Format [.gif]
  html     - HTML Document (OpenOffice.org Impress) [.html]
  jpg      - Joint Photographic Experts Group [.jpg]
  met      - OS/2 Metafile [.met]
  odd      - OpenDocument Drawing (Impress) [.odd]
  odg      - OpenOffice.org 1.0 Drawing (OpenOffice.org Impress) [.odg]
  odp      - OpenDocument Presentation [.odp]
  otp      - OpenDocument Presentation Template [.otp]
  pbm      - Portable Bitmap [.pbm]
  pct      - Mac Pict [.pct]
  pdf      - Portable Document Format [.pdf]
  pgm      - Portable Graymap [.pgm]
  png      - Portable Network Graphic [.png]
  pot      - Microsoft PowerPoint 97/2000/XP Template [.pot]
  ppm      - Portable Pixelmap [.ppm]
  ppt      - Microsoft PowerPoint 97/2000/XP [.ppt]
  pwp      - PlaceWare [.pwp]
  ras      - Sun Raster Image [.ras]
  sda      - StarDraw 5.0 (OpenOffice.org Impress) [.sda]
  sdd      - StarImpress 5.0 [.sdd]
  sdd3     - StarDraw 3.0 (OpenOffice.org Impress) [.sdd]
  sdd4     - StarImpress 4.0 [.sdd]
  sti      - OpenOffice.org 1.0 Presentation Template [.sti]
  stp      - OpenDocument Presentation Template [.stp]
  svg      - Scalable Vector Graphics [.svg]
  svm      - StarView Metafile [.svm]
  swf      - Macromedia Flash (SWF) [.swf]
  sxi      - OpenOffice.org 1.0 Presentation [.sxi]
  tiff     - Tagged Image File Format [.tiff]
  vor      - StarImpress 5.0 Template [.vor]
  vor3     - StarDraw 3.0 Template (OpenOffice.org Impress) [.vor]
  vor4     - StarImpress 4.0 Template [.vor]
  vor5     - StarDraw 5.0 Template (OpenOffice.org Impress) [.vor]
  wmf      - Windows Metafile [.wmf]
  xhtml    - XHTML [.xml]
  xpm      - X PixMap [.xpm]

The following list of spreadsheet formats are currently available:

  csv      - Text CSV [.csv]
  dbf      - dBase [.dbf]
  dif      - Data Interchange Format [.dif]
  html     - HTML Document (OpenOffice.org Calc) [.html]
  ods      - Open Document Spreadsheet [.ods]
  ooxml    - Microsoft Excel 2003 XML [.xml]
  pdf      - Portable Document Format [.pdf]
  pts      - OpenDocument Spreadsheet Template [.pts]
  pxl      - Pocket Excel [.pxl]
  sdc      - StarCalc 5.0 [.sdc]
  sdc4     - StarCalc 4.0 [.sdc]
  sdc3     - StarCalc 3.0 [.sdc]
  slk      - SYLK [.slk]
  stc      - OpenOffice.org 1.0 Spreadsheet Template [.stc]
  sxc      - OpenOffice.org 1.0 Spreadsheet [.sxc]
  vor3     - StarCalc 3.0 Template [.vor]
  vor4     - StarCalc 4.0 Template [.vor]
  vor      - StarCalc 5.0 Template [.vor]
  xhtml    - XHTML [.xhtml]
  xls      - Microsoft Excel 97/2000/XP [.xls]
  xls5     - Microsoft Excel 5.0 [.xls]
  xls95    - Microsoft Excel 95 [.xls]
  xlt      - Microsoft Excel 97/2000/XP Template [.xlt]
  xlt5     - Microsoft Excel 5.0 Template [.xlt]
  xlt95    - Microsoft Excel 95 Template [.xlt]

So, what's missing?  The newer Microsoft 'x' formats: docx, xlsx, etc. (Microsoft Office XML) are not listed, but conversion is still possible!  Let you mantra be  "unoconv is a command line utility that can convert any file format that OpenOffice can import, to any file format that OpenOffice is capable of exporting."

Using unoconv

To use unoconv, you first have to start the listener:

$ unoconv -l &  #the '&' backgrounds the process and returns control of the 

                 terminal winodow to your

[1] 9998        #9998 is the process number of the listener.

We can see that the listener is a python program and the killall command to cancel the listener would have to be directed at python.  To avoid killing other processes, 'kill 9998' should be used rather than 'killall python':

$ ps 9998
  PID TTY      STAT   TIME COMMAND
 9998 pts/0    Sl     0:00 /usr/bin/python /usr/bin/unoconv -l

With the listener running, conversion of documents is straight forward, as we can see from the help:

$ unoconv -h
usage: unoconv [options] file [file2 ..]

Convert from and to any format supported by OpenOffice

unoconv options:
  -c, --connection=string  use a custom connection string
  -d, --doctype=type       specify document type
                             (document, graphics, presentation, spreadsheet)
  -e, --export=name=value  set export filter options
                             eg. -e PageRange=1-2
  -f, --format=format      specify the output format
  -i, --import=string      set import filter option string
                             eg. -i utf8
  -l, --listener           start a listener to use by unoconv clients
  -o, --outputpath=name    output directory
      --pipe=name          alternative method of connection using a pipe
  -p, --port=port          specify the port (default: 2002)
                             to be used by client or listener
  -s, --server=server      specify the server address (default: localhost)
                             to be used by client or listener
  -t, --template=file      import the styles from template (.ott)
  -T, --timeout=secs       timeout after secs if connections to OpenOffice fail
      --show               list the available output formats
      --stdout             write output to stdout
  -v, --verbose            be more and more verbose

 So, in its simplest form, conversion takes the following form:

$ unoconv test.docx

The command will finish silently if successful.  It creates a .pdf by default in the same directory as the document.  Add the -f [fmt] option to convert to a different format, for example:

$ unoconv -f txt test.docx

When your conversion work is done, close the listener with:

$ kill 9998

Now you see why unoconv is number one!

LibreOffice: An Unlikely Image Viewer

I encountered a series of deleted Enhanced Metafiles (EMF) files during the examination of a Window's-based system the other day.  EMF files are second generation Windows Metafiles (WMF), and early on in in most forensics careers, forensics examiners are taught to seek out those files as printer artifacts.  And, it just so happens, the path of these deleted files and a time stamp analysis suggested these files were in fact printer artifacts.

Sidebar: EMF is not only a printer artifact.  In fact, its not really accurate to call it a printer artifact.  Windows applications, like Microsoft Office, use the EMF format to make images portable between applications.  In printing from these applications, the document (even text documents) is converted to an EMF image and sent to the printer.

None of my native Linux image viewers was capable of displaying the EMF files.  I was considering downloading and running XnView, and excellent image viewer with over 400 supported image formats.  The new version being developed, XnViewMP (Multiplatform), is capable but unstable, so I didn't relish using it other than as a last resort. (And, as it turns out, EMF is not on the list of supported formats.)

A little poking around the Internet, and I discovered that OpenOffice supports EMF files.  Open Office, for the uninitiated, is and open office sweet with Microsoft Office document compatibility.  I have a fork of OpenOffice installed, called LibreOffice.  I opened the Draw program (though Writer would have worked as well), and I dragged the EMF into the document window.  Voila!  I had a perfect representation of the document sent to the printer.

LibreOffice can save the image as a PDF for distribution, if required.  While it might seem untenable to process numerous images in this manner (opening one at a time in LibreOffice to covert to another format), you may not be limited to this approach.  The unoconv program can be used to convert any document that can be opened by LibreOffice into any format that can be written by LibreOffice.  Automation, anyone?