Hello Reader!

So here we are at part 2 from last weeks post. On the Github site, the Week 5 code contains both parts in it.  I figured it would be easier to have the entire piece of code then trying to separate out the second part of the code.

So at this part of the code we’re dealing with the Cache Directory Table.  The cache directories hold the temporary files for Internet Explorer, and are grouped in quantities of four.  Normally there are only four of these directories, but there can be more.  The names of these directories are randomly generated.

So first at offset 72 of the index.dat file, we have the number of cache directories.  So the first thing I did with my code was pull that 4 byte value, and use that as a key for the number of directories I’ll need to parse out.

num_cache_dir_entries = ie_ind_four_byte(ie_index_header[72:76]) num_cache_dir_parse = num_cache_dir_entries start = 76 end = 88

Each cache directory is 12 bytes long, so I initialize a start point of 76 and an end point of 88.  This should handle the first directory entry.  Then all I need to do is move the end value to the start value, and then create a new end value by adding 12 to the new start value.  Then just repeat until the number of cache directories I have to parse is zero.

dict_cache_dir_entry = {} # initialize a dictionary to put the cached directory name and no of cached files while num_cache_dir_parse > 0: cache_dir_entry = ie_ind_cache_dir_entry(ie_index_header[start:end]) dict_cache_dir_entry[cache_dir_entry[1]] = cache_dir_entry[0] # increment our variables start = end # Pass the previous ending point to the start end = end + 12 # Now add 12 to the previous ending point to get the new one num_cache_dir_parse -= 1

Now I also create a dictionary called dict_cache_dir_entry that I’ll use to store the cache directory name and the number of cached files in that directory.  I’ll end up using the directory name as the key, and the number of cached files as the value.  However the trick in the code is that in the index.dat file, the number of cached files is first, and the directory name is second, so I have to swap out the code.

Finally I print out the data along with the other information.

That’s all for this week!

Hello Reader!

So we’ve made it to one month, and this week we have a two part code snippet.  Both parts of code for this week and next are designed to parse the header of an index.dat file.  I’m using the following paper from Joachim Metz to parse the code:

https://github.com/libyal/libmsiecf/wiki (click on the Documentation link)

The code parses the first 72 bytes of the file header.  What I decided to do when I was writing this is create two functions.  One to parse out a 4 byte value, and the other to parse out an 8 byte value.  That way I’m able to reuse the same functions multiple times.  The same two functions will also be used in part 2 of this script when I post it next week.

def ie_ind_four_byte(decoder): ind_four_byte = struct.unpack("Once the data is all parsed out, it prints the output for the user.  Part 2 next week will be the code I wrote to parse the cache directory table.

Until then!

Hello Reader!
Well this week I’m sort of taking a shortcut, but what I enjoyed about this script is it was rather easy for me to write. I’m happy about that because it at least gives me some hope that this resolution will accomplish what I want it to.

I teach Computer Forensics part time for a University here where I live. The class started up last week, and I was putting some finalizing touches on my week one lecture. Part of this lecture just goes over the fundamentals of converting decimal numbers to both their binary values and their hexadecimal values. For the students homework assignment, they have to take a binary number and write down the decimal and hex values, and then take a hexadecimal number and write down the binary and decimal numbers.

What I wanted to do is update that part of my presentation every year, but not really have to think about what numbers to put in with the homework assignment. So why not have Python generate everything for me!

Overall this is a really simple script, it starts out with a function that does all the heavy lifting:

def random_number_generator(): ran_decimal = random.randint(1, 255) return (ran_decimal, bin(ran_decimal), hex(ran_decimal))

essentially this function generates a random decimal number from 1-255, and then returns the decimal value, along with the equivalent binary and hexidecimal values.

The second part of the script just takes the data from the function and writes it to a file. I wanted to write to a file instead of presenting the output to the screen, because it would be easier to copy and paste the values into my homework assignment.

The numbers_start and numbers_end values are optional for anyone else, I have them in there because the homework assignment is 40 problems.

Until next week!