Blogilo Forensics

Posted by cbrunsch on January 6, 2012

The analysis of social media apps gets more and more weight as these applications gain momentum with end users. Thus, forensic analysts must not only understand how to grab files and content from a suspects computer but also from its online services (not to use the damn cloud word). Therefore, it is crucial to understand the full functionality of online social media applications since not only publicly published contents but also hidden and drafted files may be of interest to investigatory entities.

In the end, investigators would need to understand how to recover passwords from supporting desktop software such as blog client programs. This article should point out on how to recover user accounts and passwords from the well used Blogilo KDE (Linux) blog client software.

All KDE applications configuration files are stored within the user home ~/.kde/share/apps folder. Blogilo does store its configuration within that path as well.

cbrunsch@tubarao:~$ ls -laR .kde/share/apps/blogilo/
.kde/share/apps/blogilo/:
total 92
drwx------  4 cbrunsch cbrunsch  4096 2012-01-06 08:21 .
drwx------ 11 cbrunsch cbrunsch  4096 2011-12-29 16:10 ..
drwx------  2 cbrunsch cbrunsch  4096 2012-01-02 23:03 1
drwx------  2 cbrunsch cbrunsch  4096 2011-12-28 17:10 -1
-rw-r--r--  1 cbrunsch cbrunsch 62464 2012-01-06 08:21 blogilo.db

.kde/share/apps/blogilo/1:
total 48
drwx------ 2 cbrunsch cbrunsch  4096 2012-01-02 23:03 .
drwx------ 4 cbrunsch cbrunsch  4096 2012-01-06 08:21 ..
-rw-rw-r-- 1 cbrunsch cbrunsch 29586 2012-01-02 23:03 style.html

.kde/share/apps/blogilo/-1:
total 8
drwx------ 2 cbrunsch cbrunsch 4096 2011-12-28 17:10 .
drwx------ 4 cbrunsch cbrunsch 4096 2012-01-06 08:21 ..

Actually, the file of interest is the blogilo.db file. Let’s see whether we can read the accounts directly from that file.

We could try to guess from the output what the username and password might be. However, there is also some more binary content. Thus, let’s have a closer look.

cbrunsch@tubarao:~/.kde/share/apps/blogilo$ file blogilo.db
blogilo.db: SQLite 3.x database

The file command reports an SQLite database. To store the configuration of applications within the file based SQLite format is becoming very popular. Also Firefox does store passwords and history information within databases of the SQLite format. Luckily, these files could be queried very conveniently using an SQLite client. The schema information of that specific Blogilo database can be queried from the sqlite_master table contained within the same file. The schema does also contain information on existing tables.

cbrunsch@tubarao:~/.kde/share/apps/blogilo$ sqlite3 blogilo.db
SQLite version 3.7.9 2011-11-01 00:52:41
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select name from sqlite_master where type="table";
blog
post
comment
category
file
post_cat
post_file
local_post
local_post_cat
temp_post
temp_post_cat
sqlite> select * from blog;
1|30925834|https://cybrs.wordpress.com/xmlrpc.php|cybrs123|Ult1mate.PW!|https://cybrs.wordpress.com/|3|CYBR's Blog|0||
sqlite>

Here we go. For each configured blog, there will be an entry within the blog table. Each of the records will contain the XML-RPC interface URL as well as the username and password of the blog account. That logon information will also grant access on the online service and would allow to seize hidden and drafted evidence.

NOTE: You must install the SQLite version 3.x client otherwise you won’t be able to query the file.

ImageMagick C++ Template

Posted by cbrunsch on September 24, 2011

This entry is intended to give anyone interested in using the C++ ImageMagick API a kickstart.

Base C++ code

#include <iostream> #include <Magick++.h>

using namespace Magick; using namespace std;

int main(void) { cout << "hello ImageMagick."; return 0; }

Base Makefile

CC=g++ CFLAGS=-c -Wall -m32 -Wall -ansi -pedantic -O3 -Wno-long-long -I /usr/include/ImageMagick LDFLAGS=-m32 -pthread -L /usr/lib/ImageMagick-6.6.2 -lMagick++ -ljpeg -lpng -ltiff -lbz2 -lxml2 -lz -lm -lgomp -lMagickWand -lMagickCore

SOURCES=image.cpp OBJECTS=$(SOURCES:.cpp=.o) EXECUTABLE=test


all: $(SOURCES) $(EXECUTABLE)
$(EXECUTABLE): $(OBJECTS)

 $(CC) $(LDFLAGS) $(OBJECTS) -o $@

 .cpp.o:

 $(CC) $(CFLAGS) $< -o $@

clean: rm $(EXECUTABLE) *.o

Convert a bunch of wav files into mp3 format

Posted by cbrunsch on August 12, 2010

Use the following statement to convert a bunch of waveform audio format (wav) files within a folder into mp3 format. The script is based on the well known lame mp3 encoder.

bash# for line in $(ls .wav | perl -pe 's/(.).wav/$1/'); \ do lame -b 192 -h $line.wav $line.mp3 ; done;

Merge Images using Imagemagick Composite Utility

Posted by cbrunsch on August 2, 2009

The following command replaces all images contained in the current folder as follows:

Each image will be copied into the center on top of the empty.gif. Thus, if you like to have a couple of images to fit 400×400 pixels then just create an empty.gif with that dimensions and run the command.

bash# PICS=ls -1; for pic in $PICS; do cp $pic temp.jpg; composite -gravity center temp.jpg ../empty.gif $pic; done; rm temp.jpg

Resize multiple images using Imagemagick

Posted by cbrunsch on July 2, 2009

Ever tried to resize a whole folder of images in a single line? Make sure you have the imagemagick convert utility installed. Paste to following line into your bash

bash# ls -1 *.jpg > images; while read line; do SRC=$line; cp $line temp.jpg; convert -resize 400x400 temp.jpg $SRC; done < images; rm images temp.jpg

The command will resize alle images to 400 pixels height or width depending on the orientation of the image. Thus, the propotions of the image will not change.

CYBR's Blog

Digital deep sea diving

Category Archives: Multimedia