Reconstructing a systems Internet Explorer Activity with Pasco

View previous topic View next topic Go down

Reconstructing a systems Internet Explorer Activity with Pasco

Post  joetekno on Thu Mar 12, 2009 1:41 am

Pasco will allow you to read an Internet Explorer index.dat file and output it to a index.txt file for easy analysis of a systems internet activity. I did not find Pasco on the default install of CAINE to a hard drive. Here are the instructions I used to install it and how to use it.

INSTALLATION

1. Download pasco, at the time of this writing it was found here: http://downloads.sourceforge.net/odessa/pasco_20040505_1.tar.gz?use_mirror=internap

2. Save the file to your desktop

3. Double Click the pasco_20040505_1.tar.gz file to open it and drag the contents to the desktop

4. Open a terminal window

5. Become the root user (ie sudo su)

6. Maneuver to your CAINE users desktop. (ie cd /home/<username>/Desktop)

7. Maneuver into the pasco src directory. (ie cd pasco_20040505_1/src

8. Make the pasco source (ie make install)

NOTE: You may receive some warning messages. Ignore them...

9. Maneuver into the pasco bin directory. (ie cd ../bin)

10. Copy the pasco binary to the /sbin directory. (ie cp pasco /sbin/pasco


USAGE

If you have created an image file of the suspect hard drive you'll need to mount it to obtain the index.dat files. (see Using CAINE and MMLS to mount an image of an NTFS drive). Either copy or create a symbolic link to the index.dat file. Type the command as follows:

pasco index.dat > index.txt

The easiest way to view your new index.txt file is in a spreadsheet program

"Start"... Office... Gnumeric Spreadsheet


Last edited by joetekno on Thu Apr 23, 2009 2:14 am; edited 1 time in total

joetekno

Number of posts : 50
Località : Wisconsin, United States
Registration date : 2009-02-19

View user profile http://network.nwtc.edu

Back to top Go down

Re: Reconstructing a systems Internet Explorer Activity with Pasco

Post  slo.sleuth on Tue Apr 21, 2009 11:15 pm

joetekno,

I get an error when I try to make pasco:

/pasco_20040505_1/src$ make
gcc -o pasco pasco.c -lm -lc;cp pasco ../bin
pasco.c: In function ‘win_time_to_unix’:
pasco.c:100: warning: integer constant is too large for ‘long’ type
pasco.c: In function ‘main’:
pasco.c:380: warning: incompatible implicit declaration of built-in function ‘strcpy’
pasco.c:400: warning: incompatible implicit declaration of built-in function ‘strncpy’

how did you overcome this?

slo.sleuth

slo.sleuth

Number of posts : 43
Registration date : 2009-03-31

View user profile http://linuxsleuthing.blogspot.com

Back to top Go down

pasco deb package

Post  denis on Wed Apr 22, 2009 3:00 pm

in readme file author write to use directly "make install", but also using it we have the same error:

/pasco_20040505_1/src$ make
gcc -o pasco pasco.c -lm -lc;cp pasco ../bin
pasco.c: In function ‘win_time_to_unix’:
pasco.c:100: warning: integer constant is too large for ‘long’ type
pasco.c: In function ‘main’:
pasco.c:380: warning: incompatible implicit declaration of built-in function ‘strcpy’
pasco.c:400: warning: incompatible implicit declaration of built-in function ‘strncpy’


also in Ubuntu 8.04 Standard version, so I suggest to use this deb package
http://ftp.iitm.ac.in/ubuntu/pool/universe/p/pasco/pasco_1.0+20040505-3_i386.deb

it works fine.

regardes
Denis

denis

Number of posts : 52
Località : Torino, Italy
Registration date : 2008-10-27

View user profile http://www.denisfrati.it

Back to top Go down

pasco deb package

Post  joetekno on Wed Apr 22, 2009 10:58 pm

Dennis,

I didn't have the error, so I can't be of much help on why you did. I most likely installed Pasco on CAINE V.4 which might be why there is a difference. I'll have to try it on the CAINE V.5 and see if I get an error.

Thanks for the information on the .deb package, that will save me time if I would have had to research the error.

Regards,

Joe

joetekno

Number of posts : 50
Località : Wisconsin, United States
Registration date : 2009-02-19

View user profile http://network.nwtc.edu

Back to top Go down

pasco errors

Post  joetekno on Thu Apr 23, 2009 2:18 am

slo.sleuth,

I installed CAINE V.5 and updated it today. I ran into the same error you had. I found the pasco binary in the "bin" directory within Pasco's extracted directory. When I ran it, it worked just fine. So now we have two ways to install it.

I updated my instructions with a "NOTE" letting others know they may run into the warning messages and to ignore them.

Regards,

Joe

joetekno

Number of posts : 50
Località : Wisconsin, United States
Registration date : 2009-02-19

View user profile http://network.nwtc.edu

Back to top Go down

Re: Reconstructing a systems Internet Explorer Activity with Pasco

Post  denis on Thu Apr 23, 2009 11:55 pm

trying to install Pasco on Caine v.0.5 or on Ubuntu 8.04 standard we get errors.
As slo.sleuth noted in bin directory we can find a binary.
Although the binary appears to work, I would be cautious in using it in an investigative analysis of a real event, having generated errors at compile time.

denis

Number of posts : 52
Località : Torino, Italy
Registration date : 2008-10-27

View user profile http://www.denisfrati.it

Back to top Go down

pasco errors

Post  joetekno on Fri Apr 24, 2009 2:16 am

denis,

I agree, it should be used with caution until it is validated. I have contacted Foundstone support with the list of errors to see what they say about them.

Thanks,

Joe

joetekno

Number of posts : 50
Località : Wisconsin, United States
Registration date : 2009-02-19

View user profile http://network.nwtc.edu

Back to top Go down

Foundstone feedback on Pasco Error

Post  joetekno on Tue Apr 28, 2009 1:17 am

Denis,

I received this back from Foundstone:

"We did not encounter any issues while using the tool. We don't think that the warning has an impact on the results. It probably will be a good idea to fix those warnings though. I will let the developer know.

Feel free to post it on the message board. Thank you for your feedback. We appreciate it."

I'll follow up with them to find out what the developer said.

Regards,

Joe

joetekno

Number of posts : 50
Località : Wisconsin, United States
Registration date : 2009-02-19

View user profile http://network.nwtc.edu

Back to top Go down

outdated libraries

Post  slo.sleuth on Tue Apr 28, 2009 1:29 am

joetekno,

I recall now dealing with this issue a year ago. Steve Gibson sent this fix on the linux_forensics yahoo group:

Add the following #include along with the others
#include <string.h>
(gets rid of the implicit declaration for strcpy warning)

Around line 100, change:
dbl -= 11644473600;
to:
dbl -= 11644473600ULL;
(which changes it to an unsigned long long constant)

Recompile:

# gcc pasco.c -o pasco

Maybe you could forward to your contact at foundstone. I recall having similar compile errors for galleta.

slo.sleuth

slo.sleuth

Number of posts : 43
Registration date : 2009-03-31

View user profile http://linuxsleuthing.blogspot.com

Back to top Go down

Pasco Error Fix

Post  joetekno on Tue Apr 28, 2009 2:48 pm

slo.sleuth,

Thank you, thank you! I'll pass it along.

Regards,

Joe

joetekno

Number of posts : 50
Località : Wisconsin, United States
Registration date : 2009-02-19

View user profile http://network.nwtc.edu

Back to top Go down

Re: Reconstructing a systems Internet Explorer Activity with Pasco

Post  Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum