Static Forensic Analysis in Japanese (and other Languages)

From: Doug.Barbinat_private
Date: Fri Mar 29 2002 - 18:28:26 PST

Next message: Mac Macavity: "RE: Installation date of Windows image"

Previous message: Ian Macdonald: "Re: Installation date of Windows image"
Next in thread: Stephen: "Re: Static Forensic Analysis in Japanese (and other Languages)"
Reply: Stephen: "Re: Static Forensic Analysis in Japanese (and other Languages)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've got an interesting issue that I'm tackling with that I thought I'd
throw out to the group for discussion.  I'm going to Japan to perform
forensic imaging and analysis of several laptop PC's.  I'm assuming that
aside from power conversion and a few other idiosyncrasies, the imaging
piece will not be a problem.  A few more details, these machines will be
Windows 2000 laptops, most likely imaged using EnCase or dd.  I'll have the
ability to run either EnCase or FTK Forensic Suites against it the images as
well as all of the freely available command line tools.  Linux is a
possibility as well.  

The interesting piece comes into the analysis portion.  Of interest will be
e-mail, files, and deleted space.  I was wondering if anyone had any
experience performing key word (or grep) searches and other types of
analytics in Kanji (Japanese) or another language that does not use
English-like characters.  I do not think you can type Japanese terms into
EnCase.  I'm also guessing FTK's DTSearch Indexing function will not allow
me to index in Kanji.  Command line tools, I imagine will depend on the
interface.    

Some ideas so far . . . feel free to add:
- The e-mail will be in .pst files.  Therefore, I should be able to mount it
in a Japanese configured PC, with Outlook so that a Japanese person can read
through the e-mails.  FTK may also be able to parse the e-mail assuming the
character sets are installed on the analysis PC.
- I could use a Win32 port of grep on a Japanese configured PC.
- Ontrack PowerDesk has a halfway decent search utility I could run on a
Japanese PC.
- I could use a Japanese PC to convert the sought after words to Hex and
then run those searches in EnCase.

Any other ideas/experiences?  Thanks.

-DB

Douglas W. Barbin, CISSP, CFE
  Principal Consultant
   W: 925.945.8093 E-Fax: 240.331.6030 M: 415.806.4064
   528-C North Civic Drive
   Walnut Creek, CA 94596  www.guardent.com 
   PGP: 64CB ACA8 0474 B9AF 1B24 6756 FA80 A274 55A3 4122
______________________________________________________
G U A R D E N T  
  Enterprise Security and Privacy Programs



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Mac Macavity: "RE: Installation date of Windows image"
Previous message: Ian Macdonald: "Re: Installation date of Windows image"
Next in thread: Stephen: "Re: Static Forensic Analysis in Japanese (and other Languages)"
Reply: Stephen: "Re: Static Forensic Analysis in Japanese (and other Languages)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Mar 31 2002 - 10:02:45 PST