{"id":656,"date":"2015-08-25T10:40:47","date_gmt":"2015-08-25T07:40:47","guid":{"rendered":"https:\/\/furkansandal.com\/pst-dosyalari-uzerinde-adli-bilisim-incelemesi\/"},"modified":"2015-08-25T10:40:47","modified_gmt":"2015-08-25T07:40:47","slug":"pst-dosyalari-uzerinde-adli-bilisim-incelemesi","status":"publish","type":"post","link":"https:\/\/furkansandal.com\/pst-dosyalari-uzerinde-adli-bilisim-incelemesi\/","title":{"rendered":"PST Dosyalar\u0131 \u00dczerinde Adli Bili\u015fim \u0130ncelemesi"},"content":{"rendered":"
\n

Kullan\u0131c\u0131 bilgisayarlar\u0131n\u0131n incelendi\u011fi bir \u00e7ok durumda bu kullan\u0131c\u0131ya ait elektronik postalar\u0131n da incelenmesi ve incelenen olay ile ilgisinin oldu\u011fu d\u00fc\u015f\u00fcn\u00fclen elektronik postalar\u0131n ortaya \u00e7\u0131kart\u0131lmas\u0131 beklenir. Bu ba\u011flamda \u00f6zellikle son kullan\u0131c\u0131lar\u0131n bilgisayarlar\u0131nda rastlanan ve elektronik postalar\u0131n yerel kopyalar\u0131n\u0131n sakland\u0131\u011f\u0131 dosyalar\u0131n analizi devreye girer. Bu makalemizde i\u015fte bu dosya t\u00fcrlerinden olan PST, OST ve\u00a0PAB\u00a0dosyalar\u0131n\u0131n analizini ele alaca\u011f\u0131z. Bu t\u00fcrdeki\u00a0dosyalar\u0131n format\u0131\u00a0Personal Folder File (PFF)\u2019dir ve bu format a\u00e7\u0131k bir format olmad\u0131\u011f\u0131 i\u00e7in \u00fczerinde ancak tersine m\u00fchendislik yap\u0131larak \u00f6zellikleri elde edilebilmi\u015ftir. bu ba\u011flamda yap\u0131lan \u00e7al\u0131\u015fmalara \u00f6rnek olarak\u00a0Joachim Metz taraf\u0131ndan yap\u0131lan ara\u015ft\u0131rma g\u00f6sterilebilir. Bu \u00e7al\u0131\u015fman\u0131n raporuna ve\u00a0Personal Folder File (PFF) detaylar\u0131na buradan \u00a0ula\u015fabilirsiniz.<\/p>\n

PST, OST ve PAB format\u0131ndaki dosyalar\u0131n adli analizinde kullan\u0131labilecek bir \u00e7ok \u00fccretli yaz\u0131l\u0131m mevcut. Bunlar\u0131n\u00a0en \u00e7ok bilinenlerinden birisi Paraben firmas\u0131n\u0131n\u00a0Email Examiner uygulamas\u0131d\u0131r. Bununla birlikte\u00a0EnCase, FTK gibi adli bili\u015fim yaz\u0131l\u0131mlar\u0131n\u0131n da bu dosya formatlar\u0131na deste\u011finin oldu\u011funu s\u00f6yleyebiliriz. Bu makalemizde biz biraz daha hem esnek bir \u00e7al\u0131\u015fma imkan\u0131 bulabilece\u011fimiz \u00fccretsiz a\u00e7\u0131k kaynak kodlu uygulamalar ile bu analizleri nas\u0131l ger\u00e7ekle\u015ftirebilece\u011fimize de\u011finece\u011fiz. Yukar\u0131da\u00a0\u00a0Joachim Metz taraf\u0131ndan ger\u00e7ekle\u015ftirilen incelemeden bahsetmi\u015ftik. Sa\u011folsun\u00a0Joachim Metz sadece bu dosya formatlar\u0131n\u0131 analiz etmekle kalmam\u0131\u015f, bu dosya t\u00fcrleri \u00fczerinde i\u015flem yapabilece\u011fimiz (\u00f6rne\u011fin PST dosyas\u0131nda yer alan ama kullan\u0131c\u0131 taraf\u0131ndan silinmi\u015f elektronik postalar\u0131 kurtarmaya yarayan) yard\u0131mc\u0131 uygulamalar da geli\u015ftirmi\u015f.\u00a0Bu\u00a0uygulamalar\u0131 buradan indirebilirsiniz. Bu makalede ben en son s\u00fcr\u00fcm olan\u00a0libpff-experimental-20131028.tar.gz\u00a0s\u00fcr\u00fcm\u00fc \u00fczerinden anlataca\u011f\u0131m. Bu uygulamalara SIFT Workstation \u00fczerinden de ula\u015fabilirsiniz. Varsay\u0131lan olarak bu ara\u00e7lar SIFT Workstation i\u00e7inde y\u00fckl\u00fc \u015fekilde gelir.<\/p>\n

Bu ara\u00e7 seti i\u00e7inde kullanaca\u011f\u0131m\u0131z ilk uygulama pffinfo<\/strong> uygulamas\u0131. Bu uygulama ile kendisine girdi olarak verilen PFF format\u0131ndaki dosya hakk\u0131nda temel manada bilgi sahibi oluyoruz. Bu uygulaman\u0131n ald\u0131\u011f\u0131 parametreler a\u015fa\u011f\u0131daki tabloda g\u00f6sterilmi\u015ftir. En basit kullan\u0131m\u0131 ile girdi olarak sadece ilgili PFF dosyas\u0131n\u0131 g\u00f6stermeniz yeterli olacakt\u0131r.<\/p>\n\n\n\n
MacBook-Pro-3:pfftools $ .\/pffinfo -h\u00a0\u00a0\u00a0<\/strong>pffinfo 20131028Use pffinfo to determine information about a Personal Folder File (OST, PAB\u00a0and PST).Usage: pffinfo [ -c codepage ] [ -ahvV ] sourcesource: the source file-a:\u00a0\u00a0 \u00a0 \u00a0 shows allocation information-c:\u00a0\u00a0 \u00a0 \u00a0 codepage of ASCII strings, options: ascii, windows-874,<\/p>\n

windows-932, windows-936, windows-949, windows-950,<\/p>\n

windows-1250, windows-1251, windows-1252 (default),<\/p>\n

windows-1253, windows-1254, windows-1255, windows-1256<\/p>\n

windows-1257 or windows-1258<\/p>\n

-h:\u00a0\u00a0 \u00a0 \u00a0 shows this help<\/p>\n

-v:\u00a0\u00a0 \u00a0 \u00a0 verbose output to stderr<\/p>\n

-V:\u00a0\u00a0 \u00a0 \u00a0 print version<\/p>\n

MacBook-Pro-3:pfftools $<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Bu uygulaman\u0131n \u00f6rnek bir PST \u00fczerinde \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131 sonucunda elde edilen \u00e7\u0131kt\u0131ya ili\u015fkin ekran g\u00f6r\u00fcnt\u00fcs\u00fc a\u015fa\u011f\u0131da g\u00f6sterilmi\u015ftir. Ekran g\u00f6r\u00fcnt\u00fcs\u00fcndeki \u00e7\u0131kt\u0131lar\u0131 yorumlad\u0131\u011f\u0131m\u0131zda bu dosyan\u0131n\u00a0PST format\u0131nda bir dosya oldu\u011funu, herhangi bir \u015fifre ile korunmad\u0131\u011f\u0131n\u0131 ve Folders k\u0131sm\u0131nda yer alan dizinlerin ilgili PST dosyas\u0131nda yer ald\u0131\u011f\u0131n\u0131 \u00f6\u011freniyoruz.<\/p>\n

\"PSTAnalizi-01\"Bir sonraki a\u015famada bu PST dosyas\u0131 i\u00e7inde yer alan elektronik postalar\u0131n analiz i\u00e7in export edilmesi a\u015famas\u0131na geliyoruz. Bu a\u015famada kullanaca\u011f\u0131m\u0131z uygulama pffexport<\/strong> uygulamas\u0131 ve bu uygulaman\u0131n yard\u0131m men\u00fcs\u00fcne bakt\u0131\u011f\u0131m\u0131zda kar\u015f\u0131m\u0131za a\u015fa\u011f\u0131daki tabloda yer alan se\u00e7eneklerin \u00e7\u0131kt\u0131\u011f\u0131n\u0131 g\u00f6r\u00fcyoruz.<\/p>\n\n\n\n
MacBook-Pro-3:pfftools $ .\/pffexport -hpffexport 20131028Use pffexport to export items stored in a Personal Folder File (OST, PAB\u00a0and PST).Usage: pffexport [ -c codepage ] [ -f format ] [ -l logfile ] [ -m mode ][ -t target ] [ -dhqvV ] sourcesource: the source file<\/p>\n

-c:\u00a0\u00a0 \u00a0 \u00a0 codepage of ASCII strings, options: ascii, windows-874,<\/p>\n

windows-932, windows-936, windows-949, windows-950,<\/p>\n

windows-1250, windows-1251, windows-1252 (default),<\/p>\n

windows-1253, windows-1254, windows-1255, windows-1256<\/p>\n

windows-1257 or windows-1258<\/p>\n

-d:\u00a0\u00a0 \u00a0 \u00a0 dumps the item values in a separate file: ItemValues.txt<\/p>\n

-f:\u00a0\u00a0 \u00a0 \u00a0 preferred output format, options: all, html, rtf,\u00a0text (default)<\/p>\n

-h: \u00a0\u00a0\u00a0shows this help<\/p>\n

-l:\u00a0\u00a0 \u00a0 \u00a0 logs information about the exported items<\/p>\n

-m:\u00a0\u00a0 \u00a0 \u00a0 export mode, option: all, debug, items (default), recovered.\u00a0\u2018all\u2019 exports the (allocated) items, orphan and recovered\u00a0items. \u2018debug\u2019 exports all the (allocated) items, also those\u00a0outside the the root folder. \u2018items\u2019 exports the (allocated)\u00a0items. \u2018recovered\u2019 exports the orphan and recovered items.<\/p>\n

-q:\u00a0\u00a0 \u00a0 \u00a0 quiet shows minimal status information<\/p>\n

-t:\u00a0\u00a0 \u00a0 \u00a0 specify the basename of the target directory to export to\u00a0(default is the source filename) pffexport will add the\u00a0following suffixes to the basename: .export, .orphans,\u00a0.recovered<\/p>\n

-v:\u00a0\u00a0 \u00a0 \u00a0 verbose output to stderr<\/p>\n

-V:\u00a0\u00a0 \u00a0 \u00a0 print version<\/p>\n

MacBook-Pro-3:pfftools $<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Bu uygulama aksini belirtmedik\u00e7e silinmi\u015f elektronik postalar\u0131 kurtarmaz, sadece normal yollarla okunabilen elektronik postalar\u0131 PST i\u00e7erisinden \u00e7\u0131kart\u0131r. Kullan\u0131c\u0131 taraf\u0131ndan silinmi\u015f elektronik postalar\u0131n kurtar\u0131lmas\u0131n\u0131 istiyorsak bu durumda -m parametresi ile birlikte (export mode) ya all<\/strong> ya da\u00a0recovered<\/strong> se\u00e7ene\u011fini kullanmam\u0131z gerekiyor. pffexport<\/strong> uygulamas\u0131 varsay\u0131lan olarak export etti\u011fi elektronik postalara ili\u015fkin dosyalar\u0131 txt format\u0131nda yazar (mailini i\u00e7eri\u011fi, internet ba\u015fl\u0131k bilgisi, Outlook ba\u015fl\u0131k bilgisi vb). Bu dok\u00fcmanlar\u0131 farkl\u0131 formatlarda isterseniz e\u011fer -f<\/strong> parametresi ile ilgili dosya format\u0131n\u0131 belirtmeniz yeterli olacakt\u0131r (html, rtf,\u00a0text). Export edilen elektronik postalar\u0131n nerede saklanaca\u011f\u0131n\u0131 siz kendiniz belirtmek istiyorsan\u0131z bu durumda -t<\/strong> parametresini kullanman\u0131z gerekiyor. E\u011fer herhangi bir \u015fey belirtmezseniz bu durumda uygulama kendisi kaynak olarak verilen PPF dosyas\u0131n\u0131n ismini \u00f6n ek yaparak bir dizin olu\u015fturuyor ve \u00e7\u0131kart\u0131lan elektronik postalar bu dizin alt\u0131na kaydediliyor. Bu uygulaman\u0131n export modunu all<\/strong> olarak belirtip \u00e7al\u0131\u015ft\u0131r\u0131rsan\u0131z bu durumda iki farkl\u0131 dizin olu\u015fturuluyor. Bu dizinlerden sonu .export<\/strong> ile biten dizinin alt\u0131nda normal elektronik postalar yer al\u0131rken, .recovered<\/strong> ile biten dizinde ise kullan\u0131c\u0131n\u0131n sildi\u011fi ama uygulaman\u0131n kurtard\u0131\u011f\u0131 elektronik postalar yer al\u0131yor. Uygulaman\u0131n \u00f6rnek kullan\u0131m\u0131na ili\u015fkin ekran g\u00f6r\u00fcnt\u00fcs\u00fc a\u015fa\u011f\u0131da g\u00f6sterilmi\u015ftir.<\/p>\n

\"PSTAnalizi-02\"<\/p>\n

Export i\u015fleminden sonra export ile biten dizinin hiyerar\u015fisinin bir \u00f6rne\u011fini a\u015fa\u011f\u0131da yer alan ekran g\u00f6r\u00fcnt\u00fcs\u00fcnde bulabilirsiniz.<\/p>\n

\"PSTAnalizi-03\"Burada MessageXXXXX ile ba\u015flayan her bir dizinde export edilen bir elektronik postaya ait dosyalar yer almaktad\u0131r. Bu dosyalar\u0131n neler oldu\u011fu ve bu dosyalar\u0131n i\u00e7eri\u011finde nelerin oldu\u011funun bir \u00f6rne\u011fini a\u015fa\u011f\u0131daki ekran g\u00f6r\u00fcnt\u00fcs\u00fcnde bulabilirsiniz.<\/p>\n

\"PSTAnalizi-04\"<\/p>\n

Export i\u015flemi bittikten sonra olu\u015fturulan bu dosyalar \u00fczerinde kendi ihtiyac\u0131n\u0131z do\u011frultusunda arama kriterlerini belirleyerek aramalar yapabilir ve belirli kriterlere uyan elektronik postalar\u0131 elde edebilirsiniz. \u00d6rne\u011fin a\u015fa\u011f\u0131daki ekran g\u00f6r\u00fcnt\u00fcs\u00fcnde g\u00f6r\u00fclebilece\u011fi \u00fczere grep kullan\u0131larak kullan\u0131c\u0131ya ait elektronik postalar i\u00e7inde password ifadesi ge\u00e7en postalar aranm\u0131\u015f ve elde edilmi\u015ftir.<\/p>\n

\"PSTAnalizi-05\"<\/p>\n

Related Posts<\/h2>\n
\n
    \n
  • \n
    \n

    52<\/p>\n

    G\u00fcn ge\u00e7miyor ki yeni bir siber sald\u0131r\u0131 haberi duyulmas\u0131n. Sadece yurtd\u0131\u015f\u0131nda de\u011fil, \u00fclkemizde de bir \u00e7ok kurum siber sald\u0131r\u0131lara maruz kalmakta. Bu siber sald\u0131r\u0131lar sonucunda bilgilerinin k\u00f6t\u00fc niyetli ki\u015filerin eline ge\u00e7mesinden tutun da itibarlar\u0131n\u0131n zarar g\u00f6rmesine kadar bir \u00e7ok olumsuzluk bu \u015firketlere yans\u0131maktad\u0131r. \u015eimdiye kadar bir \u00e7ok \u015firkete kar\u015f\u0131la\u015ft\u0131klar\u0131 siber\u2026<\/span><\/p>\n

    Tags: forensics, computer, bili\u015fim, adli<\/p>\n<\/div>\n<\/li>\n

  • \n
    \n

    52<\/p>\n

    Jump List kavram\u0131 Windows 7 ile birlikte duyurulan bir \u00f6zellik olup, kullan\u0131c\u0131lar\u0131n en \u00e7ok okunan, eri\u015filen veya ziyaret edilen dokumanlara, resimlere, m\u00fcziklere veya web sitelerine eri\u015fimlerini daha h\u0131zl\u0131 ger\u00e7ekle\u015ftirmelerine veya ilgili uygulama \u00fczerinden en s\u0131k ger\u00e7ekle\u015ftirilen aksiyonu ger\u00e7ekle\u015ftirmelerine imkan tan\u0131r. Windows 7 g\u00f6rev \u00e7ubu\u011fu \u00fczerinde yer alan uygulama ikonlar\u0131n\u0131n \u00fczerine\u2026<\/span><\/p>\n

    Tags: yer, windows, forensics, adli, computer, bili\u015fim<\/p>\n<\/div>\n<\/li>\n<\/ul>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"

    Kullan\u0131c\u0131 bilgisayarlar\u0131n\u0131n incelendi\u011fi bir \u00e7ok durumda bu kullan\u0131c\u0131ya ait elektronik postalar\u0131n da incelenmesi ve incelenen olay ile ilgisinin oldu\u011fu d\u00fc\u015f\u00fcn\u00fclen…<\/p>\n","protected":false},"author":1,"featured_media":469,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","footnotes":""},"categories":[6,1,9,10,3,7,4],"tags":[78,76,88,89,26,83,81,79,82,77,80,84,85,87,86],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/08\/ssh.jpg?fit=500%2C500&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6BM7I-aA","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/656"}],"collection":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/comments?post=656"}],"version-history":[{"count":0,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/656\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media\/469"}],"wp:attachment":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media?parent=656"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/categories?post=656"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/tags?post=656"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}