SYANG.IO

Just updated the code syntax highlighting style. This is a sample of PowerShell codes from PowerWinForensics.

A research paper that I co-authored was presented at DFRWS (Digital Forensic Research Conference) 2018 USA. As a contributor, I am proud to have the chance to work with two researchers, Jan-Niclas Hilgert and Martin Lambertz from Fraunhofer FKIE, Bonn, Germany.

The paper was titled as Forensic analysis of multiple device BTRFS configurations using The Sleuth Kit. It discussed the multi-device feature offered by BTRFS, a modern filesystem designed for Linux to achieve rich functions and better performance.

Since BTRFS implements many advanced concepts like subvolumes, snapshots, copy on write (CoW). This paper attempted to resolve some problems brought by BTRFS multi-device support whose answers could not be found via traditional digital forensics process.

The complete paper can be found on DFRWS 2018 USA website. It was also published on Digital Investigation Volume 26, Supplement, July 2018, Pages S21-S29 with open access. Check either of the following links to read and download the paper:

DFRWS - Papers & Presentations

Elsevier - Digital Investigation - Proceedings of the Eighteenth Annual DFRWS USA

Equipped with Office Interop and the ability to manipulate COM objects, Windows PowerShell is capable of generating rich Excel sheets, which can be very helpful in analyzing and displaying data.

One minor problem is depending on different versions of Office, some features may act differently. For example, PowerShell can be used to create charts in an Excel file:

$excel = New-Object -comobject Excel.Application
$workbook = $excel.Workbooks.Add()
$sheet = $workbook.Worksheets.Item(1)

$objCharts = $worksheet.ChartObjects()
$objChart = $objCharts.Add(100, 100, 100, 100)

$dataRange = $worksheet.range("A1:E4")
$objChart.Chart.SetSourceData($dataRange, 2)

The default chart type used here will be Bar chart. To change the chart type, in a system installed with newer version of Office, the code will be:

$objChart.Chart.ChartType = [Microsoft.Office.Interop.Excel.XLChartType]::xl3DPieExploded

This creates a 3D Exploded Pie chart.

However, in a system with early Office 2007, this XLChartType enum will not be recognized. To make the same chart, an integer must be used instead:

$objChart.Chart.ChartType = 70

For a list of all the XLChartType enums and corresponding integer values, refer to the following official document:
XlChartType Enumeration (Excel)

See also:

Chart types examples:
Available chart types in Office

C# Office Interop programming guide:
How to: Access Office Interop Objects by Using Visual C# Features

Problem

There are two web servers on two different machines in the internal network serving two different websites. Now we want clients from external network be able to access the two websites. However, there is only one available external IP address to be shared by these two websites. Also, we want the clients be able to visit the websites using the default HTTP port 80 instead of mapping different sites to different ports. The only thing that can distinguish the two websites’ requests is the url.

Goal

The two web servers, with IP address 172.16.100.11 and 172.16.100.12 in the internal network are serving www.testweb1.com and www.testweb2.com respectively with different contents. The only available external IP address is 10.10.0.1. When the client types www.testweb1.com or www.testweb2.com in the URL column in the browser, both will point to 10.10.0.1 by DNS record, but client will see different contents based on the URLs.

Problem

Today something weird happened on my VMware Workstation 12 Player. I was unable to run any of my virtual machines(VMs) stored on my computer. When I tried to run a VM, an error message pop up, saying:

VMware Player cannot connect to the virtual machine. Make sure you have rights to run the program, access all directories the program uses, and access all directories for temporary files.

Failed to connect pipe to virtual machine. The system cannot find the path specified.

If start VMware Workstation Player in administrator mode, the second part of the error message became:

The vmx process exited prematurely.