NetX Triage Getting Started Guide · examiner with both the license and the software on a single...
Transcript of NetX Triage Getting Started Guide · examiner with both the license and the software on a single...
NetX Getting Started Guide Page 1 of 36
SiQuest Corporation
27 - 1300 King Street East
Suite 134
Oshawa, ON L1H 8J4
Canada
Support: (905) 686-6801
Sales: (905) 686-6801
e-mail: [email protected]
web: www.siquest.com
NetX and NetX Triage® (Revision 2012.10.14)
Copyright © 2012, SiQuest Corporation.
Internet Examiner is a registered trademark of SiQuest Corporation.
All rights reserved.
No part of this publication may be copied without the express written permission of SiQuest Corporation,
1300 King Street East, Unit 27, Suite 134, Ontario, Canada L1H 8J4
NetX
Getting Started Guide
NetX Getting Started Guide Page 2 of 36
TABLE OF CONTENTS
TABLE OF CONTENTS .......................................................................................................................................... 2
OVERVIEW .............................................................................................................................................................. 4
INSTALLING THE PROGRAM ............................................................................................................................. 7
COMMAND LINE SWITCHES .............................................................................................................................. 8
Introduction ................................................................................................................................................................... 8
Switches and Menu Options .......................................................................................................................................... 9
GREP EXPRESSIONS ...........................................................................................................................................15
Using Escape Characters .............................................................................................................................................. 16
Email Address Keyword Example ................................................................................................................................. 17
Facebook ID Example ................................................................................................................................................... 19
BUILT-IN RECOVERY OPTIONS ......................................................................................................................21
Recovering Internet History ......................................................................................................................................... 21
Recovering JPEGS ......................................................................................................................................................... 23
Recovering Only JPEGs of a Certain Size Range ......................................................................................................... 23
Recovering Photographic Quality (High Res) Images ................................................................................................. 23
Customizing the Read Buffer ..................................................................................................................................... 24
ADVANCED OPTIONS .........................................................................................................................................25
Changing the Background and Foreground Color ......................................................................................................... 25
NetX Getting Started Guide Page 3 of 36
Compiling Keyword Hits Into A Single MATCHES.TXT File............................................................................................. 26
Using NULL, Double NULL & High Ascii Trim Options ................................................................................................... 27
Extracting Email Messages ........................................................................................................................................... 28
TIPS FOR ENCASE USERS ..................................................................................................................................34
FAQ ..........................................................................................................................................................................35
NetX Getting Started Guide Page 4 of 36
OVERVIEW
NetX® is a console application that is designed to run within a Windows Command Prompt window. It
uses a series of command line switches to define the criteria used to search computer hard drives for
internet evidence (or any other evidence).
One of the major advantages of using this type of interface is that the program has few dependencies
and it runs faster than traditional graphical user interface applications. NetX requires only the .NET
Framework Version 2 to be installed on the target machine. Since almost all distributions of Microsoft
Windows have this version of the .NET Framework pre-installed, NetX is therefore considered portable.
NetX Triage is licensed by a special 1GB flash memory USB Security Key (dongle). This provides an
examiner with both the license and the software on a single USB device. Additional flash drive
capacities are available.
With NetX, you can recover just about anything you can define as a discoverable piece of information.
By default, NetX can recover internet history records from Unallocated Space for Internet Explorer with
support for other browsers in development. It can also recover JPEGs natively and provides an option
to define the size of the files to be recovered.
NetX was designed to be a swiss army knife for carving data out of hard drives both at the logical level
and the physical disk sector level. The latter feature provides the ability to search MAC formatted
drives, sector by sector. This should also make it possible to search Unix-based formatted drives.
The following is a screenshot of the main menu for NetX as viewed within the Command Prompt shell
window.
NetX Getting Started Guide Page 5 of 36
NetX Getting Started Guide Page 6 of 36
NetX Getting Started Guide Page 7 of 36
INSTALLING THE PROGRAM
NetX, by default, will attempt to install to C:\Program Files (x86) directory, under “SiQuest” in a sub-
folder called “NetX”. It is recommended that you copy the NetX folder in its entirety to the root of
your C: drive to make it easier to access. Having the folder close to the root makes it easier to use in a
lab environment since there are almost no sub-folder to recurse manually within a Command Prompt
window. This also makes it easier to deploy in the field using a simply XCOPY approach where the
entire folder is simply copied to a flash drive.
The only dependencies required for NetX to run on a Windows system is the presence of the .NET
Framework 2.0. NetX should check your system for the presence of this library and if it is found to be
missing, then NetX will download and install it from the Microsoft website.
NetX Getting Started Guide Page 8 of 36
COMMAND LINE SWITCHES
Introduction
To run NetX, you first need to understand that it is possible search a VOLUME (a partition), a DISK
(a physical disk) and a DIRECTORY (or folder, including sub-folders). It is NOT possible to combine
these search options.
The simplest use of NetX is as follows. Note that it does not matter if you type in the comman in
uppercase or lowercase or both. However, “lowercase” is recommended.
netx /v:c /t:uph /h
The above example searches the C: drive’s Unallocated Clusters, Pagefile.sys and Hiberfil.sys for
internet history. By default, NetX will only COUNT the hits but not carve them out. To carve the
results to a folder on your computer, you would use the following:
netx /v:c /t:uph /h /p:s:\results
In the above example, the /P (path) switch defines the output folder. In this case, the output
folder is “S:\Results”. If the folder does not exist, an error will be reported.
TIP: Use the F3 key to recall the last command line typed.
NetX Getting Started Guide Page 9 of 36
Switches and Menu Options
PRIMARY SEARCH OPTIONS:
/V = Search one or more logical volumes
EXAMPLE: /V:DE
- Searches volumes D: and E:
/T = (optional) Target objects to search (ALLOCATED
CLUSTERS=all files, HIBERFIL.SYS, PAGEFILE.SYS,
UNALLOCATED CLUSTERS). Can only be used with the
/V (volume) search option.
EXAMPLE: /T:AHPU
- Searches all four target locations sector by
sector
NOTE: To search files on a given volume, use the
/F switch
/D = Search one or more PHYSICAL disks sector by
sector
EXAMPLE: /D:1
- Searches the 2nd physical disk (zero-based)
- Use the DISKS menu option to identify all disks
NOTE: Use /T:A option to search the entire FILE
SYSTEM, including file slack space.
/B = (optional) BUFFER SIZE in sectors. Default is
19,532 sectors which = ~10MB. Use this option to
tweak performance. Lower = slower but provides
more statistical updates and reduces wait periods
NetX Getting Started Guide Page 10 of 36
for complex GREP expressions to be evaluated
during each read.
USAGE: /RS:9766
- if bytes-per-sector = 512, then buffer size is =
~5MB.
FILE SYSTEM:
/F = (optional) Searches FILE(s) in the specified FILE
or DIRECTORY for keywords
USAGE: /F:C:\USERS
- Searches the C:\USERS directory
/R = (optional) Instructs NETX to recurse subfolders
SPECIFIC ARTIFACTS:
/H = (optional) Searches for internet history -
Internet Explorer by default
USAGE: /IH:E
- E = Internet Explorer (other browsers coming
soon)
/J = (optional) Search for JPEGs using known file
signature. Option to specify file size range in
KB. Default usage: /J
USAGE: /J:10-500
NetX Getting Started Guide Page 11 of 36
- Searches for JPEGs 10KB to 500KB in size only
USAGE: /J:400-3000%15-40
- Searches for JPEGs that have a WIDTH between 400
and 3000 pixels AND that has a Photograph Aspect
Ratio Differential value between 15% and 40%.
This option is used to locate photographic quality
and/or high resolution images.
KEYWORD FEATURES:
/K = (optional) Keyword(s) to locate. Matches are
exported to specifed output folder using the /C
switch. Keywords can be any valid GREP
expression. The KEYWORDS.TXT file must exist in
the same folder as NETX. Use /L to specify custom
keyword filename.
NOTE: The optional “P” attribute can be used
instruct NetX to search ONLY the FILE / FOLDER
“PATH” as opposed to searching the file contents
which is the default.
USAGE: /A:U
NOTE: Can be used safely in conjunction with /C:A
/C = Copies the KEYWORD or the file in which the
keyword is found. Data is copied to the folder
specified using the /P (path) switch (see below).
USAGE: /C
- Copies the KEYWORD match to a new file
NetX Getting Started Guide Page 12 of 36
USAGE: /C:A
- Copies KEYWORD MATCH to a single MATCHES file
(the A is for Append)
USAGE: /C:F
- Copies the FILE in which the keyword is found
USAGE: /C:1024
- Copies the KEYWORD match plus an additional 1024
bytes. NOTE: Max export size is 2,000,000 bytes
(2MB)
USAGE: /C:-200:1024
- Same as above BUT ALSO copies the first 200
bytes that come immediately before the keyword
hit
/L = (optional) Specifies the file name of the LOCAL
keywords file to use in search.
USAGE: /L:keywords.txt
- NOTE: No spaces allowed in file name.
- File must reside in same folder as NETX.EXE
/A = (optional) Appends keyword hits to a single
MATCHES.TXT in the output folder.
NOTE: The optional “U” attribute can be used to
to request that only Unique keyword matches be
appended to the file.
/HI = (optional) Trims keyword match (L&R) on the first
NetX Getting Started Guide Page 13 of 36
HIGH ASCII character > 127
/N = (optional) Trims keyword match (L&R) on the first
NULL (\x00) character
/NN = (optional) Trims keyword match (L&R) on the first
DOUBLE NULL (\x00 \x00) (Unicode) character
/P = (optional) FULL or RELATIVE path to folder where
search results will be copied
EXAMPLE: /P:C:\Temp
- Results will be copied to this folder. If path
is missing, then current program folder is used.
EXAMPLE: /P:Evidence
- EVIDENCE is a folder in the same directory as
NETX.EXE
/X = (optional) Specifies file extension to use for
exported keywords.
USAGE: /X:html
- All files harvested will have a HTML file
extension
OTHER:
DISKS = Displays list of installed disks and volumes,
included mounted items
FAQ = Displays list of frequently asked questions
NetX Getting Started Guide Page 14 of 36
GREP = Displays a list of GREP symbols with examples
MENU = Prints this menu to the locally installed printer
GUIDE = Displays the NETX GETTING STARTED GUIDE (PDF)
NOTES = Displays the latest Release Notes (PDF)
/? = Displays this help menu
EXAMPLE = Displays a few examples of how to use the various
switches
ABOUT = Displays general information about this program
EXIT = Closes program
NetX Getting Started Guide Page 15 of 36
GREP EXPRESSIONS
Using Regular Expressions or GREP Expressions is what really provides the power for NetX Triage.
Although creating syntactically correct expressions may take some practice, once you have a valid
expression, it is then easy to build on it.
In order to use GREP expressions, you must first have a keyword file. By default, NetX will always
look for a file called “keywords.txt” in the same directory where the NETX.EXE resides. It is
possible to specify custom keyword files using the /L switch as follows:
netx /v:c /k /l:email_addresses.txt
Note the use of the /K switch. This switch is required anytime you want NetX to search for
keywords. If you specify a custom keyword file using the /L switch, then the default
“keywords.txt” file will be ignored.
NetX Getting Started Guide Page 16 of 36
Using Escape Characters
When creating custom GREP expressions, it is very important to distinguish between reserved
GREP “symbols” and regular ascii characters.
For instance, the symbol “.” (a single period) represents an “any character” placeholder. But, if
we want that to be “a single period” and NOT an “any character” placeholder, then we need to
“escape” the character using a backslash “\” character.
Another example where you would need to use an escape character is if you are using the
reserved range “[ ]” brackets. To hard code that character, we again would need to use the
backslash like this:
\[ and \]
Hexadecimal values also have to be escaped so that the compiler recognizes the characters that
follow as a hex character or hex value. For example, a single period “.” can be also represented
as a hex value like this:
\x2E (1-byte ASCII)
\u002E (2-byte Unicode)
NOTE: When using the Unicode version of a character, NetX will match on either the 1-byte ASCII
version, as well as the 2-byte Unicode version. For this reason, it is recommended that you use
the Unicode version of any hex characters – unless you know for sure that a 1-byte option is the
only likely format to be found.
NetX Getting Started Guide Page 17 of 36
Email Address Keyword Example
For our first example, let’s consider the challenges of searching for email addresses. Since an
email address can take on several forms, writing a single GREP expression to capture each one
can be challenging – but the good news is that it can be done.
Here are some common forms for email addresses although our examples use some fictitious
domains for illustration purposes:
Now, to write a GREP expression for the first address is pretty easy. Notice the escaped period:
[a-z]+@hotmail\.com
A more generic approach would look like this:
[a-z]+@[a-z]+\.com
In the above example, you will notice the “+” symbol which means “1 or more”. The range [a-z]
is case sensitive. To capture uppercase letters, we should use “[a-zA-Z]”.
An finally, here is a ‘catch-all’ GREP that should work in most cases:
[a-zA-Z]+[a-zA-Z0-9\_\-\.]+@[a-zA-Z0-9]+[a-zA-Z0-9\_\-\.]+\.[a-z][a-z][a-z]?
Let’s break this down…
NetX Getting Started Guide Page 18 of 36
[a-zA-Z]+[a-zA-Z0-9\_\-\.]+@[a-zA-Z0-9]+[a-zA-Z0-9\_\-\.]+\.[a-z][a-z][a-z]?
The red portion searches for an address that starts with a letter.
[a-zA-Z]+[a-zA-Z0-9\_\-\.]+@[a-zA-Z0-9]+[a-zA-Z0-9\_\-\.]+\.[a-z][a-z][a-z]?
Which can then be followed by any letter, number, underscore, hyphen or period.
[a-zA-Z]+[a-zA-Z0-9\_\-\.]+@[a-zA-Z0-9]+[a-zA-Z0-9\_\-\.]+\.[a-z][a-z][a-z]?
Then we need to find the @ symbol. Escaping this type of character is optional.
[a-zA-Z]+[a-zA-Z0-9\_\-\.]+@[a-zA-Z0-9]+[a-zA-Z0-9\_\-\.]+\.[a-z][a-z][a-z]?
Next, the domain portion of the address must start with a letter or number.
[a-zA-Z]+[a-zA-Z0-9\_\-\.]+@[a-zA-Z0-9]+[a-zA-Z0-9\_\-\.]+\.[a-z][a-z][a-z]?
Which can then be followed by any letter, number, underscore, hyphen or period. This
will also capture nested sub-domain elements.
[a-zA-Z]+[a-zA-Z0-9\_\-\.]+@[a-zA-Z0-9]+[a-zA-Z0-9\_\-\.]+\.[a-z][a-z][a-z]?
We are then looking for an actual period (“.”).
[a-zA-Z]+[a-zA-Z0-9\_\-\.]+@[a-zA-Z0-9]+[a-zA-Z0-9\_\-\.]+\.[a-z][a-z][a-z]?
Followed by 2 letters.
[a-zA-Z]+[a-zA-Z0-9\_\-\.]+@[a-zA-Z0-9]+[a-zA-Z0-9\_\-\.]+\.[a-z][a-z][a-z]?
And finally, an optional third letter.
NetX Getting Started Guide Page 19 of 36
Facebook ID Example
In some cases, it is helpful to know if someone has accessed another person’s Facebook profile.
Since it will be less likely to find actual web pages to prove this, one sure way is to locate a
reference to the file path (URL) of the person’s profile picture.
The common profile picture URL format looks like this:
http://profile.ak.fbcdn.net/hprofile-ak-
snc4/hs223.ash2/48927_100001776758716_6880799_n.jpg
The portion of this URL that is of importance is the section in RED below:
http://profile.ak.fbcdn.net/hprofile-ak-
snc4/hs223.ash2/48927_100001776758716_6880799_n.jpg
The first number portion (48927) is a random number.
The middle number (100001776758716) is the user’s unique Facebook profile ID.
The last number portion (6880799) is another random number.
To search for this type of evidence, we would use a GREP expression that looks for the number
portion of the URL only like this:
\/[0-9]+\_100001776758716\_[0-9]+\_n\.jpg
Notice that we had to escape (“ \ “) the first forward slash, the underscores, and the period (“.”).
CARVING TIP:
To carve out all references to the above, we can use a proximity search option and extract the
data in .HTML file formats. To do this, we need to do the following:
NetX Getting Started Guide Page 20 of 36
1. Create a custom keyword file using the above GREP and call the file “facebook.txt”.
2. Next, we need to search the target drive by specifying the /K switch (for keyword searches)
and the /C switch (which tells NetX to COPY the result).
3. To capture the data surrounding the keyword hit, we can pick an arbitrary number like “500”
bytes BEFORE and perhaps “1000” bytes AFTER the hit.
4. We also need to specify the keyword file to use and the output folder.
5. To “clean” the data, we can STOP our search backwards or forwards from the hit (within the
500 or 1000 bytes respectively) whenever we encounter a NULL (zero) value or a HIGH ASCII
character (greater than 127). This is done using the /N and /HI switches.
6. Lastly, any carved hits should be given the .HTML file extension since most hits will likely be
web-based and therefore viewable within a browser.
Here’s how this might look if we are search the entire physical disk identified as drive zero (using
the NetX “disks” menu option):
netx /d:0 /k /c:-500+1000 /n /hi /l:facebook.txt /p:s:\output /x:html
NetX Getting Started Guide Page 21 of 36
BUILT-IN RECOVERY OPTIONS
Recovering Internet History
NetX can quickly and easily recover lost or deleted internet history records for Internet Explorer.
This includes IE cache found in Temporary Internet Files and IE history found in daily and weekly
index.dat files.
NetX provides this functionality using the /H switch and by default, will search for Internet
Explorer history records only. The option to specify which browser type to search for can added
by using the first letter of the browser. In this case, /H:I (uppercase i) would search for history
records for Internet Explorer. Again, this browser type is the default therefore the type option is
not necessary.
Support for other browsers may be implemented in a future update.
The following is a sample use of the /H switch:
netx /v:c /t:u /h
In the above example, NetX will search the C: volume’s unallocated space. Without any other
switches, the results will only be reported in the Console window (on screen). To copy the results
out to disk, we would use the following, as another example:
netx /v:c /t:u /h /c /p:c:\temp
In the above example, NetX uses the /C (copy) switch to tell the compiler to harvest any results
to the path (/P switch) defined as C:\temp.
NetX Getting Started Guide Page 22 of 36
NOTE: NetX will carve out each URL record into a separate, custom binary file using the file
extension: IXDAT. This file format is recognized by SiQuest’s Internet Examiner Version 3.8.11
software to facilitate further analysis and reporting of the results. In addition, NetX will create a
master index file comprising all of the discovered history records. This is a tab separated values
file which can be then easily viewed by third party tools such as Microsoft Excel.
NetX Getting Started Guide Page 23 of 36
Recovering JPEGS
NetX has a built-in command line switch designed to optimize and expedite the recovery of JPEGs
from existing files, or hidden disk space (e.g., Unallocated Space).
The /J switch can be used all by itself which tells NetX to recover any size of JPEG.
Recovering Only JPEGs of a Certain Size Range
If you would like to recover JPEGs of a certain size range (in KB), then you can define this
condition using the range attribute like this:
netx /j:10-100
Remember, the range values represent sizes in KB (kilobytes).
Recovering Photographic Quality (High Res) Images
NetX has the ability to located JPEG images that have a specific “aspect ratio”. SiQuest has
developed an algorithm that measures the difference between the height and width of an image,
but as a percentage value. NetX refers to this unique value as the Photograph Aspect Ratio
Differential which is calculated as follows:
PARD = 100 percent - ( (shortestSizeInPixels x 100) / longestSizeInPixels)
SiQuest developed this approach to categorize images in 2004. Based on their studies, the
optimal P.A.R.D. range is 15% to %40.
NetX Getting Started Guide Page 24 of 36
NetX adopts this algorithm as an attribute to the /J switch and implements it as follows:
/j:400-3000%15-40
The above example filters images that have a WIDTH that is between 400 pixels and 3000 pixels --
AND -- that has a calculated PARD value that is between 15% and 40%.
NOTE: The “%” symbol is used to indicate to NetX that the range (e.g., 400-3000) is to treated as
WIDTH in PIXELS --- as opposed to a FILE SIZE range in KB.
Customizing the Read Buffer
IMPORTANT:
If the upper value of your size range is greater than 500 (e.g., 500KB), then you should consider
increasing the Read Buffer size using the /B (buffer) switch option. By increasing the size of the
buffer for each disk read, you increase the likelihood of NetX being able to located JPEGs that are
greater than 500KB.
The /B (buffer) switch takes 1 attribute which the size of the buffer in sectors. Most disk sectors
are 512 bytes in size. The default buffer size is 10MB. So if you plan on searching for large JPEGs,
you should consider a buffer size that is approx. 50MB. Here’s how you would define this option:
netx /j:500-2000 /b:97656
Here, the value 97,656 is the number of 512 byte sectors that are contained in 50MB (or
50,000,000 bytes). The JPEG range attribute is looking for JPEGs that are between 500KB and
2MB.
NetX Getting Started Guide Page 25 of 36
ADVANCED OPTIONS
Changing the Background and Foreground Color
NetX makes it possible to customize the appearance of the Console window’s background color
and font color (foreground color). By default, NetX uses a black background and white font.
This feature might be useful when compiling a batch file with multiple NetX command lines, each
command line serving a different search function. In this case, it might be visually intuitive to
have each search window configured to use a different color scheme.
To change the background color, we use the /BGD switch.
To change the foreground color, we use the /FGD switch.
The colors supported by NetX are: White, Red, Green, Yellow, Blue, Gray and Black. The use of
both switches in the same command line is strictly optional. Whichever switch is omitted, NetX
will simply use the default instead.
EXAMPLES:
netx /bgd:red /fgd:white
netx /bgd:gray
netx /bgd:blue /fgd:yellow
NetX Getting Started Guide Page 26 of 36
Compiling Keyword Hits Into A Single MATCHES.TXT File
Sometimes, our keywords are GREP expressions intended only to capture a specific sequence of
characters (e.g., credit card numbers, email addresses, Facebook IDs).
Rather than copying / carving out each result (or hit) to a separate disk file, it can sometimes be
more efficient and meaningful to have the results compiled into a single list.
For this reason, NetX provides the /A switch for “Appending” results to a single results file –
which will always be called “matches.csv”.
The following example illustrates the power and simplicity of this feature. Let’s assume we have
a “keywords.txt” file (default filename) that contains one or more GREP keywords that are meant
to match on email addresses. To search the Unallocated Space of the C: drive and get the results
into a single MATCHES.TXT file using the /A switch, we would type in the following sample
commandline:
netx /v:c /t:u /k /a /p:s:\output
NOTE: The contents of the MATCHES.TXT file comprise of tab delimited columns for each found
record. This enables the file’s contents to be easily imported into other programs such as
Microsoft Excel. Each record in the file contains (a) the physical sector number for the hit, and
(b) the actual keyword match value.
NetX Getting Started Guide Page 27 of 36
Using NULL, Double NULL & High Ascii Trim Options
One of the most powerful features of NetX is the ability to eliminate garbage or irrelevant
information when carving data.
A proximity search is a search that locates a keyword (or GREP expression) and then captures
data that is adjacent or surrounding the found artifact. The inherent problem is trying to
determine when or where to limit the capture.
Let’s discuss email messages found in Unallocated Space. Quite often, email messages may be
partially overwritten, however the main substance of the messages are intact. Finding a
particular message is rather easy. But carving it is a bit tricky. Some tools that implement a
proximity search will carve the found keyword, but will also copy out an arbitrary number of
bytes found before and/or after the keyword. Unfortunately, the arbitrary nature of this
approach is flawed because it either captures too little or too much. In cases where too much
data is capture, it usually includes garbage data which can sometimes produce dozens or more of
paged results for disclosure.
NetX solves this problem by implementing special trim character options which can be used when
searching for keywords. Before we discuss these characters, it is first important to know that the
trim options are used exclusively with the /K (keyword) and /C (copy) switches.
There are 3 trim characters:
1. NULL, which is represented as 0x00 in hex.
2. Double NULL (or NULL Unicode), which is represented as 0x00 0x00 in hex.
3. High Ascii character, which is any ASCII character higher than 127 in the ASCII Table.
The next section Extracting Email Messages specifically and effectively implements the NULL and
High Ascii trim character options.
NetX Getting Started Guide Page 28 of 36
Extracting Email Messages
At some point or another, you have undoubtedly run into the daunting task of having to (a)
search for, (b) identify, and then (c) recover e-mail messages from a computer’s hard drive.
While the common Outlook .PST file itself is commonplace and easy enough to explore, the real
difficulty lies in having to recover emails from Unallocated Space, Pagefile.sys and Hiberfil.sys
locations, to name a few.
NetX approaches this challenge by looking at the message “boundary” byte values to allow for a
much cleaner and more accurate means of identifying an collecting messages. How is this done?
Quite simply: messages are typically formatted in a plan ASCII text format which utilizes only the
bytes 10, 13 and 32 through to 127 on the internationally recognized ASCII Table.
To be more specific, bytes 10 (0x0D) is a “newline” or “linefeed” character. Byte 13 (0x0A) is a
“carriage return”. Byte 32 is a [SPACE] and the rest are numbers and other characters.
NetX takes the approach of searching for “markers” or “special keywords” that will likely
landmark on a valid email message (assuming that the keyword is related to an email message).
Next, using special “proximity” attributes of the /C (copy) switch, we can scan BEFORE and AFTER
the keyword hit by X number of characters. But the “cleaning” part comes in when NetX “trims”
the block of data by the FIRST encountered NULL and/or HIGH ASCII character, in either direction
from the found hit.
The following command line will carve email messages cleanly from the sample C: drive’s
Unallocated Space, Pagefile.sys and Hiberfil.sys locations. It assumes that the user-defined
“emails.txt” keyword file contains the keyword “Return-Path”. It specifies that any found
messages are to be copied out to the C:\Temp directory and given a .TXT file extension.
netx /v:c /t:uph /k /c:-8192+20480 /x:txt /p:c:\temp /n /hi
NetX Getting Started Guide Page 29 of 36
NOTE: This unique approach will also capture BASE 64 attachments in their entirety, if present
and if not overwritten.
The following diagrams illustrate a sample Outlook email message found in Unallocated Space.
You will notice that the first image shows the initial keyword hit. The 2nd
and 3rd
images
demonstrate the “boundary” characters used to “clean” the carved result.
Image 1.0 – Keyword match on “Return-Path”
NetX Getting Started Guide Page 30 of 36
Image 1.2 – Boundary character is the first encountered NULL (0x00) – BEFORE keyword hit
NetX Getting Started Guide Page 31 of 36
Image 1.3 – Boundary character is the first encountered NULL (0x00) – AFTER keyword hit
NetX Getting Started Guide Page 32 of 36
The following image is a screenshot of Windows Explorer listing the results in the output folder.
You will notice that each artifact is assigned an ordinal (index) number, followed by the Physical
Sector number where the hit was found. This is extremely helpful for locating the original hit in
the source evidence (e.g., hard drive image file).
Image 1.4 – The outputted results
NetX Getting Started Guide Page 33 of 36
Image 1.5 – Contents of one of the sample recovered messages
Note how clean the message appears. There is no garbage data to get in the way of examining
the results.
NetX Getting Started Guide Page 34 of 36
TIPS FOR ENCASE USERS
One of the best ways to examine data that has been collected with NetX is by creating a Logical
Evidence File using EnCase. Guidance Software’s EnCase software provides a nice way to encapsulate
specific groups of files for standalone analysis by creating a single logical image of the NetX results
folder.
A particularly useful way to disclose email recovered with NetX (see section on Outlook email) is to
create a single report of all the contents of each file recovered. This makes it easy to identify using
NetX’s descriptive filename. It also makes it easy to report the results in Word format making it easy
for evidence reviewers to search the results.
Since NetX’s email recovery sample can recover Base 64 attachments, EnCase could then easily decode
these files for even further analysis.
NetX Getting Started Guide Page 35 of 36
FAQ
Q. What’s the difference between NetX and NetX Triage?
NetX is the software. NetX Triage is the software which is accompanied by a USB 1GB Flash Memory
Security Key. NetX is offered to existing licensed users of SiQuest’s Internet Examiner software at no
additional cost. New users that purchase NetX Triage by itself will receive both the software and the
USB 1GB Flash Memory Security Key.
Q. I am an existing SiQuest customer and NetX user. Can I upgrade to the Triage edition by getting
the USB 1GB Flash Memory Security Key?
Yes. For a small fee, the flash key can be sent to existing customers. Please note that in doing so, the
new key will function only with NetX and no other SiQuest product. A plan is currently in development
to eventually allow SiQuest customers to “move” their licenses from non-flash memory keys to the new
flash memory keys.
Q. Can NetX search MAC hard drives?
Yes. NetX can search MAC file system formatted hard drives at the physical level only. This is done by
searching the entire drive’s contents sector by sector.
Q. Can NetX search Unix-like system drives?
Theoretically yes. However, like the MAC, NetX would only be able to search the drive at the physical
sector level.
Q. Is it possible to run several commands at the same time? What is the best way to do so?
Yes. The easiest way is to create a single BATCH file. Simply create a new plain text file, and create a
specific NetX command line for each type of search you want to perform concurrently. Make sure that
NetX Getting Started Guide Page 36 of 36
“each line” in the text file contains ONLY 1 valid NetX command line. This should technically spawn off
multiple instances of NetX with each search being reported in a separate Console window.
Q. I installed NetX but when I run it, the program simply does nothing. What’s wrong?
For some reason, your system is missing a dependency file of some sort. This may occur if you have
other software installed on your system that happens to make use of the same dependency files. The
NetX Setup Program may, in rare situations, may skip the installation of these files which may be
outdated. In most cases, this problem will revolve around the Visual C++ 2010 SP1 Redistribute (x86)
library which many vendor products make use of. If this happens, simply download this update from
Microsoft’s website which will ensure that your system is brought up to date.
Q. When I run a search for my custom keywords, NetX runs but then seems to get stuck or freezes?
Check your GREP expressions very carefully. Try validating your expressions by creating some sample
data using Notepad and put them in a separate folder. Run NetX on that short sample data using the /F
switch option for speed while testing. If your test fails to finish OR NetX hangs OR the search
completes but instantly -- then chances are your GREP expressions are poorly designed. This is often
caused by the use of too many wildcards and/or an ambiguous search term.
TIP: If NetX complains when using certain characters in your GREP (e.g., an underscore), try using an
ESCAPE character (e.g., \_ ) or for better accuracy, use the HEX variation instead (e.g., \x95 or \u0095
for Unicode).