• Encase C4P bookmark files and Reconnoitre

    I am pleased to announce a new feature to reconnoitre and that is the ability to import Encase bookmarks created and exported by C4P and to identify the files within shadow copies that relate to the bookmarks.

    For those of you who already own Reconnoitre you can download the latest version here: http://sandersonforensics.com/files/reconnoitre.exe

    For those who wish to evaluate Reconnoitre then please request an eval download link by emailing me at paul@sandersonforensics.com.


    Currently when C4P/C4ALL is used to categorise files extracted from an encase image a bookmark export file can be created to bring the categorisations into encase. This works well for files that exist in the normal file system (live files) or files that have been carved from the pagefile or unallocated. However for files that have been carved from a shadow copy the process does not work so well. In this instance the bookmark created by the C4P script can only identify the bytes within the shadow volume file and cannot identify any files that exist within the shadow volume and more importantly the meta data associated with this file is missing. So, if a deleted file exists within a shadow, or a graphic is carved by C4P but the graphic exists embedded within a document of thumbs.db, this information will not be made available to the investigator.



    Reconnoitre now addresses these issues and when a C4P Encase bookmark file is imported into Reconnoitre any files within a shadow volume that can be matched to the byte range in the bookmark file will be highlighted and given the categorisation assigned in C4P. If a byte range corresponds to a graphic embedded within another file (i.e. a thumbs.db file within a shadow volume) then Reconnoitre will also show this.

    In the example below a number of files have been carved with C4P and the bookmark file imported into Reconnoitre. We can see from the “attr” column that some of the files are flagged as “C4P carved” these are carved entries from the C4P bookmark files. This view also shows the parent thumbscache_32.db file and 4 additional copies of this file that appear in 4 different VSCs together with the meta data including the date of creation etc.. The view also shows the carved thumbnails from within each of the thumbscache_32.db files along with the offset of the thumbnail within these files. We can also see the meta data associated with the parent file along us a, as investigators, to place the proper provenance on these carved images.



    Reconnoitre has many more features than this including further features to integrate with C4P hash servers and the ability to display a map showing where a picture was taken based on EXIF GPS data, and more.

    Reconnoitre also has other feartures for working with C4All such as the ability to directly query a C4P Hash server

    More information here: http://sandersonforensics.com/forum/...68-Reconnoitre