Reconstructing a systems Internet Explorer Activity with Pasco

[joetekno]

Pasco will allow you to read an Internet Explorer index.dat file and output it to a index.txt file for easy analysis of a systems internet activity. I did not find Pasco on the default install of CAINE to a hard drive. Here are the instructions I used to install it and how to use it.

INSTALLATION

1. Download pasco, at the time of this writing it was found here: http://downloads.sourceforge.net/odessa/pasco_20040505_1.tar.gz?use_mirror=internap

2. Save the file to your desktop

3. Double Click the pasco_20040505_1.tar.gz file to open it and drag the contents to the desktop

4. Open a terminal window

5. Become the root user (ie sudo su)

6. Maneuver to your CAINE users desktop. (ie cd /home/<username>/Desktop)

7. Maneuver into the pasco src directory. (ie cd pasco_20040505_1/src

8. Make the pasco source (ie make install)

NOTE: You may receive some warning messages. Ignore them...

9. Maneuver into the pasco bin directory. (ie cd ../bin)

10. Copy the pasco binary to the /sbin directory. (ie cp pasco /sbin/pasco


USAGE

If you have created an image file of the suspect hard drive you'll need to mount it to obtain the index.dat files. (see Using CAINE and MMLS to mount an image of an NTFS drive). Either copy or create a symbolic link to the index.dat file. Type the command as follows:

pasco index.dat > index.txt

The easiest way to view your new index.txt file is in a spreadsheet program

"Start"... Office... Gnumeric Spreadsheet

[slo.sleuth]

joetekno,

I get an error when I try to make pasco:

/pasco_20040505_1/src$ make
gcc -o pasco pasco.c -lm -lc;cp pasco ../bin
pasco.c: In function ‘win_time_to_unix’:
pasco.c warning: integer constant is too large for ‘long’ type
pasco.c: In function ‘main’:
pasco.c:380: warning: incompatible implicit declaration of built-in function ‘strcpy’
pasco.c:400: warning: incompatible implicit declaration of built-in function ‘strncpy’

how did you overcome this?

slo.sleuth

[denis]

in readme file author write to use directly "make install", but also using it we have the same error:

/pasco_20040505_1/src$ make
gcc -o pasco pasco.c -lm -lc;cp pasco ../bin
pasco.c: In function ‘win_time_to_unix’:
pasco.c warning: integer constant is too large for ‘long’ type
pasco.c: In function ‘main’:
pasco.c:380: warning: incompatible implicit declaration of built-in function ‘strcpy’
pasco.c:400: warning: incompatible implicit declaration of built-in function ‘strncpy’

also in Ubuntu 8.04 Standard version, so I suggest to use this deb package
http://ftp.iitm.ac.in/ubuntu/pool/universe/p/pasco/pasco_1.0+20040505-3_i386.deb

it works fine.

regardes
Denis

[joetekno]

Dennis,

I didn't have the error, so I can't be of much help on why you did. I most likely installed Pasco on CAINE V.4 which might be why there is a difference. I'll have to try it on the CAINE V.5 and see if I get an error.

Thanks for the information on the .deb package, that will save me time if I would have had to research the error.

Regards,

Joe

[joetekno]

slo.sleuth,

I installed CAINE V.5 and updated it today. I ran into the same error you had. I found the pasco binary in the "bin" directory within Pasco's extracted directory. When I ran it, it worked just fine. So now we have two ways to install it.

I updated my instructions with a "NOTE" letting others know they may run into the warning messages and to ignore them.

Regards,

Joe

[denis]

trying to install Pasco on Caine v.0.5 or on Ubuntu 8.04 standard we get errors.
As slo.sleuth noted in bin directory we can find a binary.
Although the binary appears to work, I would be cautious in using it in an investigative analysis of a real event, having generated errors at compile time.

[joetekno]

denis,

I agree, it should be used with caution until it is validated. I have contacted Foundstone support with the list of errors to see what they say about them.

Thanks,

Joe

[joetekno]

Denis,

I received this back from Foundstone:

"We did not encounter any issues while using the tool. We don't think that the warning has an impact on the results. It probably will be a good idea to fix those warnings though. I will let the developer know.

Feel free to post it on the message board. Thank you for your feedback. We appreciate it."

I'll follow up with them to find out what the developer said.

Regards,

Joe

[slo.sleuth]

joetekno,

I recall now dealing with this issue a year ago. Steve Gibson sent this fix on the linux_forensics yahoo group:

Add the following #include along with the others
#include <string.h>
(gets rid of the implicit declaration for strcpy warning)

Around line 100, change:
dbl -= 11644473600;
to:
dbl -= 11644473600ULL;
(which changes it to an unsigned long long constant)

Recompile:

# gcc pasco.c -o pasco

Maybe you could forward to your contact at foundstone. I recall having similar compile errors for galleta.

slo.sleuth

[joetekno]

slo.sleuth,

Thank you, thank you! I'll pass it along.

Regards,

Joe

[Sponsored content]