Difference between pages "HBGary Responder Professional" and "Personal Folder File (PAB, PST, OST)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(File signature)
 
Line 1: Line 1:
[[File:logo.jpg]]  
+
[[Microsoft]] [[Outlook]] uses the '''Personal Folder File (PFF)''' to store e-mails, appointments, tasks, contacts, notes, etc.
  
Responder™ Professional is a Windows™ physical memory forensics and automated malware analysis tool. It is an
+
Three different types of the PFF are known:
application that is known for its ease of use, streamlined workflow, and rapid results. The Professional platform is designed for Incident Responders, Malware Analysts, and Computer Forensic Investigators who require actionable intelligence quickly. Responder Professional provides powerful memory
+
* The '''Personal Address Book (PAB)''', which contains the address book of contacts. These files have the extension '''.pab'''.
forensics, malware detection, and software behavioral identification with Digital DNA™.
+
* The '''Personal Storage Table (PST)''', which contains items like e-mails, appointments, tasks, notes, etc. and is used as current and archived mailbox files. These files have the extension '''.pst'''. The PST format is also referred to as the '''Personal Folder File (PFF)''' format.
 +
* The '''Offline Storage Table (OST)''', which contains items like e-mails, appointments, tasks, notes, etc. and is used as off line mailbox files in conjunction with [[Microsoft]] [[Exchange]]. These files have the extension '''.ost'''. The OST format is also referred to as the '''Offline Folder File (OFF)''' format.
  
 +
The underlying file format of these files is the same of which the actual name is unknown but has been dubbed the '''Personal Folder File (PFF)''' format, because of its most common usage.
  
== Memory Preservation ==
+
== MIME types ==
  
FDPro is included with Responder™ Professional. FDPro is the most complete memory acquisition software in the
+
The actual mime type of the PFF format is unspecified however some sources claim the following [[MIME types]] apply to this [[file format]]:
industry. FDPro is the only application that can preserve Windows™ physical memory and Pagefile for information security and computer
+
* application/vnd.ms-outlook (for PST files)
forensic purposes.
+
  
 +
== File signature ==
  
== Memory Analysis ==
+
PFF has the following file signature:
  
Critical computer artifacts are found only in live memory. Responder™ makes it easy to uncover, identify, and report on critical information with easy to use and intuitive GUI designed to support investigation workflow.
+
hexadecimal: 21 42 44 4e
  
[[File:memory_analysis.jpg]]
+
ASCII: !BDN
  
 +
== File types ==
  
== Malware Detection with Digital DNA™ ==
+
There are a 32-bit and a 64-bit version of the PFF. These have the same file signature but can be identified by the version in the file header.
  
Digital DNA™ is a revolutionary technology designed to detect advanced computer security threats within physical memory. All memory is analyzed offline as a file; there is no active code to thwart analysis. Digital DNA™ does not rely on the Windows operating system since the host is  assumed to be compromised and thus not trusted. All executable code in memory is scanned, scored, and ranked by level of severity based upon programmed software behaviors.
+
== Contents ==
  
[[File:Ddna_image.jpg]]  
+
The PFF basically contains a hierarchy of items. The attributes of these items are defined by the [[Microsoft]] [[Outlook]] [[Message API (MAPI)]].
  
 +
== Encryption ==
  
== Automated Malware Analysis ==
+
The PFF format allows the file to be encrypted. Two types of encryptions are currently known these are referred to as compressible and high encryption.
 +
The compressible encryption is a basic substitution cypher and the high encryption is a little more complex substitution cypher.
 +
From a cryptographic point of view this is more a way of obfuscation than a means to protect confidentiality.
  
More computer crimes are involving malware as a method of gaining access to confidential information. The new face
+
== See also==
of malware is designed to never touch the disk and reside only in memory. Important delivery information, rootkit behaviors, and malware not detected by Anti-Virus can be easily found using Responder™ Professional.
+
  
[[File:Automated_analysis.jpg]]  
+
* A great deal of information about the format has been documented by the [http://libpff.sourceforge.net libpff project], including some of the [http://downloads.sourceforge.net/libpff/Personal_Folder_File_format.pdf Personal Folder File format specifications] and [http://downloads.sourceforge.net/libpff/MAPI_definitions.pdf MAPI definitions].
 +
* [http://www.five-ten-sg.com/libpst/ libpst]
  
 
+
[[Category:File Formats]]
== Reporting ==
+
 
+
A flexible reporting module is built in for ease of use so you can quickly deliver the information in
+
a succinct manner to attorneys, management, or clients.
+
 
+
[[File:Reporting.jpg]]  
+
 
+
 
+
== External Links ==
+
 
+
http://www.hbgary.com
+

Revision as of 03:06, 13 October 2010

Microsoft Outlook uses the Personal Folder File (PFF) to store e-mails, appointments, tasks, contacts, notes, etc.

Three different types of the PFF are known:

  • The Personal Address Book (PAB), which contains the address book of contacts. These files have the extension .pab.
  • The Personal Storage Table (PST), which contains items like e-mails, appointments, tasks, notes, etc. and is used as current and archived mailbox files. These files have the extension .pst. The PST format is also referred to as the Personal Folder File (PFF) format.
  • The Offline Storage Table (OST), which contains items like e-mails, appointments, tasks, notes, etc. and is used as off line mailbox files in conjunction with Microsoft Exchange. These files have the extension .ost. The OST format is also referred to as the Offline Folder File (OFF) format.

The underlying file format of these files is the same of which the actual name is unknown but has been dubbed the Personal Folder File (PFF) format, because of its most common usage.

MIME types

The actual mime type of the PFF format is unspecified however some sources claim the following MIME types apply to this file format:

  • application/vnd.ms-outlook (for PST files)

File signature

PFF has the following file signature:

hexadecimal: 21 42 44 4e

ASCII: !BDN

File types

There are a 32-bit and a 64-bit version of the PFF. These have the same file signature but can be identified by the version in the file header.

Contents

The PFF basically contains a hierarchy of items. The attributes of these items are defined by the Microsoft Outlook Message API (MAPI).

Encryption

The PFF format allows the file to be encrypted. Two types of encryptions are currently known these are referred to as compressible and high encryption. The compressible encryption is a basic substitution cypher and the high encryption is a little more complex substitution cypher. From a cryptographic point of view this is more a way of obfuscation than a means to protect confidentiality.

See also