What did they take when they left? Part 3 - Where did it go and what did they take?

Howdy Reader,

In the prior posts in this series we've talked about how to determine if our suspect burned a CD and then what programs he ran before he left. In this post we will discuss ways our suspect could have taken out of the system and how we can find out what they took. There are several options available to someone who wants to take data depending on the environment they are in. They could burn a cd (which we talked about before), send out an email via their companies servers, send out an email via a webmail service, copy the data to a external drive, copy data to another network location or upload data to a web based file hosting service are the most common. Any combination of these methods can be used so we have two challenges:

1. We need to determine what method or methods they used to take data from the system
   
2. We need to determine what files they took using these methods
   

Method 1 – Email via corporate servers

1. How did they take data from the system
   

How we are able to recreate activities will depend on the email system they have in place. Typically a suspect using this method will be emailing files and forwarding messages to their personal account. The sophistication of the suspect is pretty low in this method but occasionally even these suspects will delete these messages. Every email system has its own particular quirks for the recovery and analysis of messages, enough so that we will have separate posts to deal with each one at a later date. In most cases if a user has deleted the email messages we have three sources of recovery:

1. Recovery of deleted messages from the local system
   

   
   

   When an email is sent from a suspect's system it is typically saved in the local and possible the server side 'sent' box. How we recover the message depends on how much time has passed since the user deleted the message, what other activity has occurred on the system since that time and whether or not the user purposefully attempted to push the email out of the local email archive.
   

   
   i. Messages recovered from the application database structure
   

   
   

   Most email systems have an accompanying client side application (groupwise, outlook, notes) that store the emails they receive into a database like structure. Typically when these emails are deleted they remain within the database like structure until they are flushed out (such as using the outlook compact and repair function). Until that occurs then most of the major commercially available forensic tools (Paraben's email examiner, Encase Forensic, Forensic Toolkit) can recover these deleted messages if they support the file format. If you are looking for a free option you might try the steps outlined here but that could become quite burdensome if you have a large number of messages to recover.
   

   ii. Messages recovered from the unallocated space
   

   Depending on the email client used the data will either be in plain text in the unallocated space for easy carving or it may be stored in some binary format such as the case with deleted messages from most outlook pst's. Outlook pst's support a data encoding format known as outlook compressible encryption. When this data is pushed out of the pst structure either over time or through the operation of a compact and repair the message will then exist in the unallocated space but be encoded in OCE. The only tool I know of currently that can search for OCE data in the unallocated space is encase. However the temporary files made by Microsoft Word, which has been the default editor for emails inside of Outlook since at least 2003, are recoverable as plain or Unicode text in the unallocated space.
   

2. Recovery of deleted messages from the live server
   

   
   

   Most email servers don't flush out emails from their database when the user deletes them. If you or your IT contact has administrative access to the email server you can ask them to recover recently deleted messages from the live server. In exchange there is what has been called a 'dumpster' functionality that will retain emails for a definable set of days (default of 14 I believe). In groupwise you can recover deleted messages using tools like network email examiner or the salvage utility. In lotus notes you could either check to see if the 'soft delete' option was set and for how long it will retain messages or again use commercial tools. There are not many (any?) open source or free tools for dealing with enterprise email server solutions.
   

   
   

   If the email server has flushed out the message recovering the message from the unallocated space becomes more difficult since I don't know the encoding of the message. If you are dealing with a sendmail/imail server like Iplanet you can recover the messages in the unallocated space through regex searches for headers.
   

   
   

3. Recovery of deleted messages from backup
   

   
   

   When all else fails you can go to backup, usually tape. Restore the email database for the relevant time intervals to hopefully capture the email it was not purged the same day it was deleted, not very typical. You can restore the tape with either the native software (netbackup, backupexec, arcserve, etc…) or with software that supports your tape format (Ontrack Powercontrols, Quest Recovery Manger for Exchange). Then you will need to access the email database either with the native email server in a recovery environment or with a tool that supports reading the database directly (network email examiner, Ontrack Powercontrols, Quest Recovery Manger for Exchange). Once you've done this you can see if the emails you are looking for exist. This is a very detailed topic on the variances of backup software for the forensic examiner and data available, I plan to make separate posts about each of the major backup formats and tape examination techniques.
   

   
   

4. What did they take
   

   
   

   Now that we have the email messages we can see what was forwarded and attached to those messages to make a list of those files, email addresses and subject matters. In my job I have no knowledge of internal matters so I have to hand over this data to counsel so they can determine what that was sent to themselves contained relevant data.
   

Method 2 – Email via webmail

1. How did they take data from the system
   

   
   

   The first step I would perform is examining the internet history of the user. If they did not clear out their internet history then you can look through it for webmail websites they have been visiting. The majority of webmail services are either free or in the case of a hosted website they own will be using a free webmail package (like squirrel mail). We can use these sites to get unique keywords they display in either the html source of the page or in the rendered page itself to identify specific pages of interest.
   

   
   

   The nature of how we send and receive data to websites dictates what is and is not recoverable. We can recover pages they have viewed, such as the contents of a mailbox/folder . We can see messages received the form to write an email but not the email they wrote. So we can look for the most recent views of their inbox for emails they have sent to themselves with files attached. Many people have said that gmail no longer leaves cached emails for us to recover. This is not in fact true, the move to the ajax model means we no longer have a separate cached page for every email viewed, instead we have to look at the virtual memory (pagefile.sys in windows, the swap partition in unix based systems) to find these email remnants.
   

   
   

2. What did they take
   

   
   

   Most webmail sites will separately make a pop up or page for attaching files and giving notification of successfully attached files. This is good for us as we can recover each notification page and make a list of what files they sent themselves. In addition some suspects are nice enough to open each email they forwarded to themselves to just make sure they got their files.
   

There are three more methods to detail, but I don't want to wait another day to get this up. To be continued in part 4.

Sejarah Musik Metal

heavy metal ditemukan oleh band veteran tahun 60`an steppenwolf, dalam lagu klasiknya yang berjudul `Born To be Wild`.
"i like smoke and lightning heavy metal thunder Racin` with the wind and the feelin`that i`am under".Tapi istilah itu belum dipakai secara tepat sampai pada tahun 1970, ketika black sabbath merilis album perdana "paranoid".

cukup banyak band heavy metal. dari tahun 1960an atau bisa disebut blues Rock seperti Led Zepplin, AC/DC classic metal
dan disekitar 60an sampai 70an atau disebut classic rock seperti black sabbath, Blue Oyster Cult, deep purple, alice cooper. permainan
classic metal dimainkan kadang dengan organ. Musiknya dikendalikan oleh riff yang lebih sering dimainkan dalam tangga nada minor. vokalisnya
uga terpengaruh oleh led zeppelin kecuali bapak metal Ozzy Osbourne yang dipengaruhi oleh sirene udara.

Thrash metal, power metal, speed metal black metal, death metal, grindcore tempo lagu sangat cepat yang diusung oleh gitaris yang memainkan gitar rhytm
downstroke pada thrash metal oleh band band seperti metalica, megadeath, slayer dan anthrax yang dijuluki big four of thrash.

Preventing Tooth Decay

Meet Sir Edward Mellanby, the man who discovered vitamin D. Along with his wife, Dr. May Mellanby, he identified dietary factors that control the formation and repair of teeth and bones. He also identified the primary cause of rickets (vitamin D deficiency) and the effect of phytic acid on mineral absorption. Truly a great man! This research began in the 1910s and continued through the 1940s.

What he discovered about tooth and bone formation is profound, disarmingly simple, and largely forgotten. I remember going to the dentist as a child. He told me I had good teeth. I informed him that I tried to eat well and stay away from sweets. He explained to me that I had good teeth because of genetics, not my diet. I was skeptical at the time, and rightly so.

Tooth structure is primarily determined during growth. Well-formed teeth are highly resistant to decay, while poorly-formed teeth are cavity-prone. Drs. Mellanby demonstrated this by showing a strong correlation between tooth enamel defects and cavities in British children. The following graph is drawn from several studies he compiled in the book Nutrition and Disease (1934). "Hypoplastic" refers to enamel that's poorly formed on a microscopic level.
The graph is confusing, so don't worry if you're having a hard time interpreting it. If you look at the blue bar representing children with well-formed teeth, you can see that 77% of them have no cavities, and only 7.5% have severe cavities (a "3" on the X axis). Looking at the green bar, only 6% of children with the worst enamel structure are without cavities, while 74% have severe cavities. Enamel structure is VERY strongly related to cavity prevalence.

What determines enamel structure during growth? Drs. Mellanby identified three dominant factors:

1. The mineral content of the diet
2. The fat-soluble vitamin content of the diet, chiefly vitamin D
3. The availability of minerals for absorption, determined largely by the diet's phytic acid content

Teeth and bones are a mineralized protein scaffold. Vitamin D influences the quality of the protein scaffold that's laid down, and the handling of the elements that mineralize it. For the scaffold to mineralize, the diet has to contain enough minerals, primarily calcium and phosphorus. Vitamin D allows the digestive system to absorb the minerals, but it can only absorb them if they aren't bound by phytic acid. Phytic acid is an anti-nutrient found primarily in unfermented seeds such as grains. So the process depends on getting minerals (sufficient minerals in the diet and low phytic acid) and putting them in the right place (fat-soluble vitamins).

Optimal tooth and bone formation occurs only on a diet that is sufficient in minerals, fat-soluble vitamins, and low in phytic acid. Drs. Mellanby used dogs in their experiments, which it turns out are a good model for tooth formation in humans for a reason I'll explain later. From Nutrition and Disease:

Thus, if growing puppies are given a limited amount of separated [skim] milk together with cereals, lean meat, orange juice, and yeast (i.e., a diet containing sufficient energy value and also sufficient proteins, carbohydrates, vitamins B and C, and salts), defectively formed teeth will result. If some rich source of vitamin D be added, such as cod-liver oil or egg-yolk, the structure of the teeth will be greatly improved, while the addition of oils such as olive... leaves the teeth as badly formed as when the basal diet only is given... If, when the vitamin D intake is deficient, the cereal part of the diet is increased, or if wheat germ [high in phytic acid] replaces white flour, or, again, if oatmeal [high in phytic acid] is substituted for white flour, then the teeth tend to be worse in structure, but if, under these conditions, the calcium intake is increased, then calcification [the deposition of calcium in the teeth] is improved.

Other researchers initially disputed the Mellanbys' results because they weren't able to replicate the findings in rats. It turns out, rats produce the phytic acid-degrading enzyme phytase in their small intestine, so they can extract minerals from unfermented grains better than dogs. Humans also produce phytase, but at levels so low they don't significantly degrade phytic acid. The small intestine of rats has about 30 times the phytase activity of the human small intestine, again demonstrating that humans are not well adapted to eating grains. Our ability to extract minerals from seeds is comparable to that of dogs, which shows that the Mellanbys' results are more applicable to humans than those in rats.

Drs. Mellanby found that the same three factors determine bone quality in dogs as well, which I may discuss in another post.

Is there anything someone with fully formed enamel can do to prevent tooth decay? Drs. Mellanby showed (in humans this time) that not only can tooth decay be prevented by a good diet, it can be almost completely reversed even if it's already present. Dr. Weston Price used a similar method to reverse tooth decay as well. I'll discuss that in my next post.

What did they take when they left? Part 2 – Finding out what they ran before they left

Hello Reader,

        In Part 1 we discussed how to determine if a CD was burned. Knowing what application it was burned with and what other tools they ran before they left is also important.

1. User Assist
   

One way to determine this is with the user assist registry keys. Over the years since the user assist registry keys were first discovered (they were included in our windows analysis chapter in 2005) many people have realized the impact it can have on their case. The User Assistance functionality has existed since Windows 2000 and is a registry key divided into two parts that keeps track of recently used programs and files for the start menu.

The user assist registry key exists in each user's ntuser.dat under the key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Of which there are multiple keys depending on the version of windows you are examining, two for windows 2000, xp, 2003 and three for windows vista, server 2008, under which you will find a count key that contains the actual data we are looking for. Entries are encoded in rot13 and if you are not using one the tools listed in this blog you will need to decode them yourself to read the entries.

 

There are multiple tools that support the user assist registry keys for analysis (Accessdata's registry viewer and Didier Stevens tool for instance) that will quickly allow you to see:

1. What program or file was accessed
   
2. How many times the program or file has been accessed through windows explorer
   
3. The last time the program or file was accessed through windows explorer
   

As a simple example, I use Microsoft Office a lot. In fact I write my blog posts in it as it can directly post them to blogger (hopefully catching all my typos). So a decoded user assist entry for Office in my registry looks like this:

"{75048700-EF1F-11D0-9888-006097DEACF9}","20","UEME_RUNPATH:C:\Program Files\Microsoft Office\Office12\WINWORD.EXE","","54","37","3/22/2009 9:25:59 PM"

This entry was found in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Decoding the entry section by section we see:

1. {75048700-EF1F-11D0-9888-006097DEACF9} - the registry key under user assist that this belongs to, data appears to be grouped into categories based on these id's.
   
2. 20 – The index number this number increments as entries are added to this key. In this case this is the 20^th entry logged. If you have a program executed multiple times, such as my Word 2007 program, sorting by the index number will give you an idea of when it was first executed.
   
3. UEME_RUNPATH:C:\Program Files\Microsoft Office\Office12\WINWORD.EXE – This is two pieces of info combined into one:
   
   1. UEME_RUNPATH – This is the prefix for all entries that will give you a full path to the program or file being accessed
      
   2. C:\Program Files\Microsoft Office\Office12\WINWORD.EXE – this is the full path to the program or file executed
      
4. 54 – This is the session, its use is still unknown
   
5. 37 – This is the number of times the program has been executed
   
6. 3/22/2009 9:25:59 PM – This is the last time the key was updated and should be the last time it was executed
   

Going through the user assist then allows us to find out what programs where being executed around the time that for instance a CD was burned. Sorting the entries for that time we can see what was being executed around that time. If there is no corresponding entry you may want to look at the restore points for backups of the ntuser.dat close to time of the burn to find the program executed.

If the user assist keys is missing two things could have occurred

1. The user disabled them, there will be a registry key created showing this if true.
   
2. The user has deleted them, this can be an indication of some type of 'cleaning' tool being run such as Crap Cleaner.
   

Now the user assist registry keys are not the only place to look for what programs have been executed. We don't want to rely solely on access times as they change so easily and don't prove that a program was actually executed. We want to focus on artifacts created because of an execution of which there are two other well documented sets of artifacts that show the actual execution of a program.

1. Shortcut/Lnk Files
   

Stored in several locations depending on its function LNK files so named because of the extension '.LNK' that is given to them. We will discuss LNK files in more detail in the next post as they are an extreme wealth of information but for the purposes of this post it can suffice to say that we can use LNK files to determine if a program was executed through it.

The start menu for each user stored from windows 2000 and on is under the user's profile directory (\documents and settings\<user>\start menu in xp and \users\<user>\start menu in vista and 2008) contains a LNK file for each of the files listed in the user's start menu when the click the start button. So each time a user loads a program through it the modified date of the LNK file will change to reflect it. This also applies to any other instance of the lnk file such as in the quick launch bar or on the desktop.

So for instance my Office 2007 LNK file in the start menu shows a created time of 11/24/2008 which is when I installed office 2007 on this computer. The modification date is 3/22/09 9:25pm which is the last time I used the LNK file to load up office 2007. You can see that the prefetch reference below says 9:26pm, it takes a couple second between the time I clicked the LNK and when the prefetch file gets created.

 

1. Prefetch Files
   

Stored in the \Windows\Prefetch directory there is one .pf file for each of a max of 128 programs and the last modified time is updated each time the program is executed. The Forensic Wiki has a nice write up on prefetch files. There are several tools out there for parsing prefect files, one that is free is part of the Windows File Analyzer program. If I were to analyze the prefetch file for Office 2007 I would see the following:

File name: WINWORD.EXE-6AC9169C.pf

Last loaded: 3/22/09 and 9:26PM

This is when I started writing this blog post, it's been a couple days of research catching up on old topics to see what people have figured out.

So the prefetch file is a third correlation point we can use to determine if and when a program has been executed.

1. Conclusion
   

So we now have three separate sources on a typical Windows system that we can use to determine what programs had been executed (the first and last times), when and how many times they have been executed. These are not the only places we can look for this information but they are three of the most reliable due to the nature of their creation and use. If you find that all of this data is missing then it becomes almost certain that either

1. The system is being reimaged each time it reboots/logs in (some public access terminals do this)
   
2. A cleaning/wiping tool has been run
   

I plan to make a post on how to determine what a user has wiped after this series but if a cleaning tool has not been run one or all of these sources will allow you to state for a fact what program was executed to:

1. Run a backup program (such as the ones that are packaged with some external hard drives like retrospect)
   
2. Burn a CD
   
3. Run an ftp program
   
4. Access some kind of archiving or copy tool
   

Which will then lead to the next question and our next post in the series : Part 3 - Where did it go and what did they take?

More Thoughts on the Glycemic Index

In the last post, I reviewed the controlled trials on the effect of the glycemic index (GI) of carbohydrate foods on health. I concluded that there is not much evidence that a low GI diet is better for health than a high GI diet.

It is true that for the "average" individual the GI of carbohydrate foods can affect the glucose and insulin response somewhat, even in the context of an actual meal. If you compare two meals of very different GI, the low GI meal will cause less insulin secretion and cause less total blood glucose in the plasma over the course of the day (although the differences in blood glucose may not be large in all individuals).

But is that biologically significant? In other words, do those differences matter when it comes to health? I would argue probably not, and here's why: there's a difference between post-meal glucose and insulin surges within the normal range, and those that occur in pathological conditions such as diabetes and insulin resistance. Chronically elevated insulin is a marker of metabolic dysfunction, while post-meal insulin surges are not (although glucose surges in excess of 140 mg/dL indicate glucose intolerance). Despite what you may hear from some sectors of the low-carbohydrate community, insulin surges do not necessarily lead to insulin resistance. Just ask a Kitavan. They get 69% of their 2,200 calories per day from high-glycemic starchy tubers and fruit (380 g carbohydrate), with not much fat to slow down digestion. Yet they have low fasting insulin, very little body fat and an undetectable incidence of diabetes, heart attack and stroke. That's despite a significant elderly population on the island.

Furthermore, in the 4-month GI intervention trial I mentioned last time, they measured something called glycated hemoglobin (HbA1c). HbA1c is a measure of the amount of blood glucose that has "stuck to" hemoglobin molecules in red blood cells. It's used to determine a person's average blood glucose concentration over the course of the past few weeks. The higher your HbA1c, the poorer your blood glucose control, the higher your likelihood of having diabetes, and the higher your cardiovascular risk. The low GI group had a statistically significant drop in their HbA1c value compared to the high GI group. But the difference was only 0.06%, a change that is biologically meaningless.

OK, let's take a step back. The goal of thinking about all this is to understand what's healthy, right? Let's take a look at how carbohydrate foods are consumed by cultures that rarely suffer from obesity or metabolic disease. Cultures that rely heavily on carbohydrate generally fall into three categories: they eat cooked starchy tubers, they grind and cook their grains, or they rely on grains that become very soft when cooked. In the first category, we have Africans, South Americans, Polynesians and Melanesians (including the Kitavans). In the second, we have various Africans, Europeans (including the villagers of the Loetschental valley), Middle Easterners and South Americans. In the third category, we have Asians, Europeans (the oat-eating residents of the outer Hebrides) and South Americans (quinoa-eating Peruvians).

The pattern here is one of maximizing GI, not minimizing it. That's not because high GI foods are inherently superior, but because traditional processing techniques that maximize the digestibility of carbohydrate foods also tend to increase their GI. I believe healthy cultures around the world didn't care about the glycemic index of foods, they cared about digestibility and nutritional value.

The reason we grind grains is simple. Ground grains are digested more easily and completely (hence the higher GI).  Furthermore, ground grains are more effective than intact grains at breaking down their own phytic acid when soaked, particularly if they're allowed to ferment. This further increases their nutritional value.

The human digestive system is delicate. Cows can eat whole grass seeds and digest them using their giant four-compartment stomach that acts as a fermentation tank. Humans that eat intact grains end up donating them to the waste treatment plant. We just don't have the hardware to efficiently extract the nutrients from cooked whole rye berries, unless you're willing to chew each bite 47 times. Oats, quinoa, rice, beans and certain other starchy seeds are exceptions because they're softened sufficiently by cooking.

Grain consumption and grinding implements appear simultaneously in the archaeological record. Grinding has always been used to increase the digestibility of tough grains, even before the invention of agriculture when hunter-gatherers were gathering wild grains in the fertile crescent. Some archaeologists consider grinding implements one of the diagnostic features of a grain-based culture. Carbohydrate-based cultures have always prioritized digestibility and nutritional value over GI.

Finally, I'd like to emphasize that some people don't have a good relationship with carbohydrate. Diabetics and others with glucose intolerance should be very cautious with carbohydrate foods. The best way to know how you deal with carbohydrate is to get a blood glucose meter and use it after meals. For $70 or less, you can get a cheap meter and 50 test strips that will give you a very good idea of your glucose response to typical meals (as opposed to a glucose bomb at the doctor's office). Jenny Ruhl has a tutorial that explains the process. It's also useful to pay attention to how you feel and look with different amounts of carbohydrate in your diet.

What did they take when they left? Part 1 - Detecting CD Burning

Dear Reader,

We've been discussing server level analysis for the last couple posts but there is plenty to talk about on the desktop. This will be a multi part series discussing different artifacts that we can recover that give us provable facts regarding a user's activity. It is easy to speculate on actions based on speculative data such as access data or related files or dll's accessed on a system but it is always better to rely on a repeatable process that creates a specific artifact each time to explain a user's action.

We only do cases that either lead to civil litigation or are in the process of civil litigation (no criminal work). One of our most common requests is the question, before this employee left did they take any documents with them. There are several places on a system we check to determine if a user has taken a document from the system in some fashion (CD, USB Drive, Emailed out, printed, etc…) and in this post we will discuss how to determine if a user has burned a CD. If you are examining a Windows XP or Windows Server 2003 (I have not been able to test this on Vista or server 2008 yet) image then the system event log will contain eventids 7036 and 7035 as it was generated by the Service Control Manager and will contain in the description a string starting with The IMAPI CD-Burning Service. There will be one such set of entries showing the service starting and stopping on each reboot but any entry not close to a reboot will indicate that a CD is being burned from this system.

An example of a burning entry, yes my machine is named HOSS:

12/11/2008		3:04:13 PM	Service Control Manager	Information	None	7036	N/A
12/11/2008		3:04:13 PM	Service Control Manager	Information	None	7035	NT AUTHORITY\SYSTEM
12/11/2008		3:04:22 PM	Service Control Manager	Information	None	7036	N/A
HOSS	The IMAPI CD-Burning COM Service service entered the running state.
HOSS	The IMAPI CD-Burning COM Service service was successfully sent a start control.
HOSS	The IMAPI CD-Burning COM Service service entered the stopped state.

Sorry for the bad editing here, the full row will not fit in this blog template. The line starts with the date and then continues in the block below. There is one date for each of the IMAPI entries.

If those three entries are not part of a reboot/startup sequence then you have found a user burning a CD. These entries do not have to be in uninterrupted sequence as you see here, but there should be a start and a stop to show a successful burn. This is not just for CDs burned by Windows directly, third party applications will also call this service when burning a CD. You can estimate the size of the data burned to the disk by determining the number of minutes spent burning (the time between the start and stop of the service) multiplied by the write speed of the CDROM. This also applies to DVDs.

I will not discuss how to determine if a CD was accessed in this post as that is material for Part 2 – What was accessed from external drives.

Update: As per the comments below, more activities than just booting and burning will cause these event log entries to show up. I will be doing some more testing to find a better answer.

The Glycemic Index: A Critical Evaluation

The glycemic index (GI) is a measure of how much an individual food elevates blood sugar when it's eaten. To measure it, investigators feed a person a food that contains a fixed amount of carbohydrate, and measure their blood glucose response over time. Then they determine the area under the glucose curve and compare it to a standard food such as white bread or pure glucose.

Each food must contain the same total amount of carbohydrate, so you might have to eat a big plate of carrots to compare with a slice of bread. You end up with a number that reflects the food's ability to elevate glucose when eaten in isolation. It depends in large part on how quickly the carbohydrate is digested/absorbed, with higher numbers usually resulting from faster absorption.

The GI is a standby of modern nutritional advice. It's easy to believe in because processed foods tend to have a higher glycemic index than minimally processed foods, high blood sugar is bad, and chronically high insulin is bad. Yet many people have criticized the concept.  Why?

Blood sugar responses to a carbohydrate-containing foods vary greatly from person to person. For example, I can eat a medium potato and a big slice of white bread (roughly 60 g carbohydrate) with nothing else and only see a modest spike in my blood sugar. I barely break 100 mg/dL and I'm back at fasting glucose levels within an hour and a half. You can see a graph of this experiment here. That's what happens when you have a well-functioning pancreas and insulin-sensitive tissues. Your body shunts glucose into the tissues almost as rapidly as it enters the bloodstream. Someone with impaired glucose tolerance might have gone up to 170 mg/dL for two and a half hours on the same meal.

The other factor is that foods aren't eaten in isolation. Fat, protein, acidity and other factors slow carbohydrate absorption in the context of a normal meal, to the point where the GI of the individual foods become much less pronounced.

Researchers have conducted a number of controlled trials comparing low-GI diets to high-GI diets. I've done an informal literature review to see what the overall findings are. I'm only interested in long-term studies-- 10 weeks or longer-- and I've excluded studies using subjects with metabolic disorders such as diabetes.  

The question I'm asking with this review is, what are the health effects of a low-glycemic index diet on a healthy normal-weight or overweight person? I found a total of seven studies on PubMed in which investigators varied GI while keeping total carbohydrate about the same, for 10 weeks or longer. I'll present them out of chronological order because they flow better that way.  

One issue with this literature that I want to highlight before we proceed is that most of these studies weren't properly controlled to isolate the effects of GI independent of other factors.  Low GI foods are often whole foods with more fiber, more nutrients, and a higher satiety value per calorie than high GI foods.

Study #1. Investigators put overweight women on a 12-week diet of either high-GI or low-GI foods with an equal amount of total carbohydrate. Both were unrestricted in calories. Body composition and total food intake were the same on both diets. Despite the diet advice aimed at changing GI, the investigators found that both groups' glucose and insulin curves were the same!

Study #2. Investigators divided 129 overweight young adults into four different diet groups for 12 weeks. Diet #1: high GI, high carbohydrate (60%). Diet #2: low GI, high carbohydrate. Diet #3: high GI, high-protein (28%). Diet #4: low GI, high protein. The high-protein diets were also a bit higher in fat. Although the differences were small and mostly not statistically significant, participants on diet #3 improved the most overall in my opinion. They lost the most weight, and had the greatest decrease in fasting insulin and calculated insulin resistance. Diet #2 came out modestly ahead of diet #1 on fat loss and fasting insulin.

Study #3. At 18 months, this is by far the longest trial. Investigators assigned 203 healthy Brazilian women to either a low-GI or high-GI energy-restricted diet. The difference in GI between the two diets was substantial; the high-GI diet was supposed to be double the low-GI diet. This was accomplished by a number of differences between diets, including different types of rice and higher bean consumption in the low-GI group.  Weight loss was a meager 1/3 pound greater in the low-GI group, a difference that was not statistically significant at 18 months. Changes in estimated insulin sensitivity were not statistically significant.

Study #4. The FUNGENUT study. In this 12-week intervention, investigators divided 47 subjects with the metabolic syndrome into two diet groups. One was a high-glycemic, high-wheat group; the other was a low-glycemic, high-rye group. After 12 weeks, there was an improvement in the insulinogenic index (a marker of early insulin secretion in response to carbohydrate) in the rye group but not the wheat group. Glucose tolerance was essentially the same in both groups.

What makes this study unique is they went on to look at changes in gene expression in subcutaneous fat tissue before and after the diets. They found a decrease in the expression of stress and inflammation-related genes in the rye group, and an increase in stress and inflammation genes in the wheat group. They interpreted this as being the result of the different GIs of the two diets.

Further research will have to determine whether the result they observed is due to the glycemic differences of the two diets or something else.

Study #5. Investigators divided 18 subjects with elevated cardiovascular disease risk markers into two diets differing in their GI, for 12 weeks. The low-glycemic group lost 4 kg (statistically significant), while the high-glycemic group lost 1.5 kg (not statistically significant).  In addition, the low-GI group ended up with lower 24-hour blood glucose measurements.  This study was a bit strange because of the fact that the high-GI group started off 14 kg heavier than the low-GI group, and the way the data are reported is difficult to understand.  Perhaps these limitations, along with the study's incongruence with other controlled trails, are what inspired the authors to describe it as a pilot study.

Study #6. 45 overweight females were divided between high-GI and low-GI diets for 10 weeks. The low-GI group lost a small amount more fat than the high-GI group, but the difference wasn't significant. The low-GI group also had a 10% drop in LDL cholesterol.

Study #7. This was the second-longest trial, at 4 months. 34 subjects with impaired glucose tolerance were divided into three diet groups. Diet #1: high-carbohydrate (60%), high-GI. Diet #2: high-carbohydrate, low-GI. Diet #3: "low-carbohydrate" (49%), "high-fat" (monounsaturated from olive and canola oil). The diet #1 group lost the most weight, followed by diet #2, while diet #3 gained weight. The differences were small but statistically significant. The insulin and triglyceride response to a test meal improved in diet group #1 but not #2. The insulin response also improved in group #3. The high-GI group came out looking pretty good. 

[Update 10/2011-- please see this post for a recent example of a 6 month controlled trial including 720 participants that tested the effect of glycemic index modification on body fatness and health markers-- it is consistent with the conclusion below]

Overall, these studies do not support the idea that lowering the glycemic index of carbohydrate foods is useful for weight loss, insulin or glucose control, or anything else besides complicating your life.  I'll keep my finger on the pulse of this research as it expands, but for the time being I don't see the glycemic index per se as a significant way to combat fat gain or metabolic disease.

Bangle Capsule, Menurunkan 12 Kg Berat Badan Saya Dengan Cara Sehat

Sebelum dan sesudah minum kapsul Bangle




Indonesia memiliki salah satu tanaman asli yang berkhasiat baik dalam pengobatan, contohnya bangle. Tanaman ini sejak dulu dipercaya sebagai pelangsing perut, terutama para ibu pasca-melahirkan. Bagian yang banyak digunakan adalah rimpangnya. Secara tradisional tanaman yang bernama latin Zingiber purpureum ini juga digunakan untuk mengatasi masuk angin, sembelit, sakit kepala, penghangat tubuh, hingga cacingan.

Bangle mengandung senyawa unik. Dari penelitian diketahui bangle mengandung senyawa yang berfungsi sebagai pengaktif dan senyawa yang bersifat menghambat kinerja enzim lipase. Dengan terhambatnya kinerja enzim tersebut maka penyerapan lemak terhambat dan akan terbuang melalui feses (kotoran).







--------------------------------------------------------------------------------


Indonesia memiliki salah satu tanaman asli yang berkhasiat baik dalam pengobatan, contohnya bangle. Tanaman ini sejak dulu dipercaya sebagai pelangsing perut, terutama para ibu pasca-melahirkan. Bagian yang banyak digunakan adalah rimpangnya. Secara tradisional tanaman yang bernama latin Zingiber purpureum ini juga digunakan untuk mengatasi masuk angin, sembelit, sakit kepala, penghangat tubuh, hingga cacingan.

Bangle mengandung senyawa unik. Dari penelitian diketahui bangle mengandung senyawa yang berfungsi sebagai pengaktif dan senyawa yang bersifat menghambat kinerja enzim lipase. Dengan terhambatnya enzim tersebut maka penyerapan lemak terhambat dan akan terbuang melalui feses (kotoran).

Kini tersedia cara praktis mengkonsumsi rimpang bangle dari Dr. Liza yaitu Bangle Capsule. Produk ini telah banyak digunakan orang untuk membantu menurunkan berat badan. Ibu Engkay Kurniawati (30 tahun) merupakan salah seorang ibu rumah tangga di Bogor yang mengkonsumsi produk tersebut. Selama kurang lebih 6 bulan berturut-turut ia berhasil menurunkan berat badannya hingga 12 kilogram dari awalnya 67 kilogram. ”Dengan Bangle Capsule Dr. Liza berat badan saya turun 1,5 sampai 2 kilogram per bulan. Setiap harinya saya mengkonsumsi Bangle Capsule sesuai dengan dosis yang dianjurkan yaitu 2 kapsul per hari”, ucap Ibu Engkay. Setelah merasa berat badan tubuhnya ideal di angka 54 kilogram kini ia masih tetap mengkonsumsi Produk ini 1 kapsul per hari untuk menjaga kesehatannya.

Menurutnya, Ia tidak merasakan efek samping dari konsumsi produk Bangle Capsule, BAB nya pun lancar. Hanya saja nafsu makannya agak berkurang, tapi tidak membahayakan kesehatannya. Sehari-hari ia cukup mengerjakan pekerjaan rumah tangga, disertai istirahat yang cukup namun hasil yang didapat sangat memuaskannya.

“Tetangga saya di komplek heran dengan perubahan yang terjadi pada berat badan saya, terlebih keluarga saya yang ada di Banten, akhirnya mereka mencoba Bangle Capsule atas rekomendasi saya”, seru Ibu Engkay. Awalnya, Ia pun mengetahui produk ini dari klinik kesehatan yang letaknya tidak jauh dari kompleknya. “Saya makin percaya dengan kemampuan herbal Indonesia dalam menangani berbagai masalah, efek sampingnya pun sangat minim, dan tidak perlu keluar biaya besar, terima kasih liza herbal”, cerita Ibu Engkay.

http://www.lizaherbal.com/main/index.php?option=com_content&task=view&id=170&Itemid=1

SehaatHerbal.Com menyediakan kapsul Bangle Rp.50rb/45 kapsul. Info pemesanan 021-91752768.

Paleopathology at the Origins of Agriculture

In April of 1982, archaeologists from around the globe converged on Plattsburgh, New York for a research symposium. Their goal:

...[to use] data from human skeletal analysis and paleopathology [the study of ancient diseases] to measure the impact on human health of the Neolithic Revolution and antecedent changes in prehistoric hunter-gatherer food economies. The symposium developed out of our perception that many widely debated theories about the origins of agriculture had testable but untested implications concerning human health and nutrition and our belief that recent advances in techniques of skeletal analysis, and the recent explosive increase in data available in this field, permitted valid tests of many of these propositions.

In other words, they got together to see what happened to human health as populations adopted agriculture. They were kind enough to publish the data presented at the symposium in the book Paleopathology at the Origins of Agriculture, edited by the erudite Drs. Mark Nathan Cohen and George J. Armelagos. It appears to be out of print, but luckily I have access to an excellent university library.

There are some major limitations to studying human health by looking at bones. The most obvious is that any soft tissue pathology will have been erased by time. Nevertheless, you can learn a lot from a skeleton. Here are the main health indicators discussed in the book:

• Mortality. Archaeologists are able to judge a person's approximate age at death, and if the number of skeletons is large enough, they can paint a rough picture of the life expectancy and infant mortality of a population.
• General growth. Total height, bone thickness, dental crowding, and pelvic and skull shape are all indicators of relative nutrition and health. This is particularly true in a genetically stable population. Pelvic depth is sensitive to nutrition and determines the size of the birth canal in women.
• Episodic stress. Bones and teeth carry markers of temporary "stress", most often due to starvation or malnutrition. Enamel hypoplasia, horizontal bands of thinned enamel on the teeth, is probably the most reliable marker. Harris lines, bands of increased density in long bones that may be caused by temporary growth arrest, are another type.
• Porotic hyperostosis and cribra orbitalia. These are both skull deformities that are caused by iron deficiency anemia, and are rather creepy to look at. They're typically caused by malnutrition, but can also result from parasites.
• Periosteal reactions. These are bone lesions resulting from infections.
• Physical trauma, such as fractures.
• Degenerative bone conditions, such as arthritis.
• Isotopes and trace elements. These can sometimes yield information about the nutritional status, diet composition and diet quality of populations.
• Dental pathology. My favorite! This category includes cavities, periodontal disease, missing teeth, abscesses, tooth wear, and excessive dental plaque.

The book presents data from 19 regions of the globe, representing Africa, Asia, the Middle East, Europe, South America, with a particular focus on North America. I'll kick things off with a fairly representative description of health in the upper Paleolithic in the Eastern Mediterranean. The term "Paleolithic" refers to the period from the invention of stone tools by hominids 2.5 million years ago, to the invention of agriculture roughly 10,000 years ago. The upper Paleolithic lasted from about 40,000 to 10,000 years ago. From page 59:

In Upper Paleolithic times nutritional health was excellent. The evidence consists of extremely tall stature from plentiful calories and protein (and some microevolutionary selection?); maximum skull base height from plentiful protein, vitamin D, and sunlight in early childhood; and very good teeth and large pelvic depth from adequate protein and vitamins in later childhood and adolescence...
Adult longevity, at 35 years for males and 30 years for females, implies fair to good general health...
There is no clear evidence for any endemic disease.

The level of skeletal (including cranial and pelvic) development Paleolithic groups exhibited has remained unmatched throughout the history of agriculture. There may be exceptions but the trend is clear. Cranial capacity was 11% higher in the upper Paleolithic. You can see the pelvic data in this table taken from Paleopathology at the Origins of Agriculture.

There's so much information in this book, the best I can do is quote pieces of the editor's summary and add a few remarks of my own. One of the most interesting things I learned from the book is that the diet of many hunter-gatherer groups changed at the end of the upper Paleolithic, foreshadowing the shift to agriculture. From pages 566-568:

During the upper Paleolithic stage, subsistence seems focused on relatively easily available foods of high nutritional value, such as large herd animals and migratory fish. Some plant foods seem to have been eaten, but they appear not to have been quantitatively important in the diet. Storage of foods appears early in many sequences, even during the Paleolithic, apparently to save seasonal surpluses for consumption during seasons of low productivity.

As hunting and gathering economies evolve during the Mesolithic [period of transition between hunting/gathering and agriculture], subsistence is expanded by exploitation of increasing numbers of species and by increasingly heavy exploitation of the more abundant and productive plant species. The inclusion of significant amounts of plant food in prehistoric diets seems to correlate with increased use of food processing tools, apparently to improve their taste and digestibility. As [Dr. Mark Nathan] Cohen suggests, there is an increasing focus through time on a few starchy plants of high productivity and storability. This process of subsistence intensification occurs even in regions where native agriculture never developed. In California, for example, as hunting-gathering populations grew, subsistence changed from an early pattern of reliance on game and varied plant resources to to one with increasing emphasis on collection of a few species of starchy seeds and nuts.

...As [Dr. Cohen] predicts, evolutionary change in prehistoric subsistence has moved in the direction of higher carrying capacity foods, not toward foods of higher-quality nutrition or greater reliability. Early nonagricultural diets appear to have been high in minerals, protein, vitamins, and trace nutrients, but relatively low in starch. In the development toward agriculture there is a growing emphasis on starchy, highly caloric food of high productivity and storability, changes that are not favorable to nutritional quality but that would have acted to increase carrying capacity, as Cohen's theory suggests.

Very interesting.

One of the interesting things I learned from the book is that Mesolithic populations, groups that were halfway between farming and hunting-gathering, were generally as healthy as hunter-gatherers:

...it seems clear that seasonal and periodic physiological stress regularly affected most prehistoric hunting-gathering populations, as evidenced by the presence of enamel hypoplasias and Harris lines. What also seems clear is that severe and chronic stress, with high frequency of hypoplasias, infectious disease lesions, pathologies related to iron-deficiency anemia, and high mortality rates, is not characteristic of these early populations. There is no evidence of frequent, severe malnutrition, so the diet must have been adequate in calories and other nutrients most of the time. During the Mesolithic, the proportion of starch in the diet rose, to judge from the increased occurrence of certain dental diseases [with exceptions to be noted later], but not enough to create an impoverished diet... There is a possible slight tendency for Paleolithic people to be healthier and taller than Mesolithic people, but there is no apparent trend toward increasing physiological stress during the mesolithic.

Cultures that adopted intensive agriculture typically showed a marked decline in health indicators. This is particularly true of dental health, which usually became quite poor.

Stress, however, does not seem to have become common and widespread until after the development of high degrees of sedentism, population density, and reliance on intensive agriculture. At this stage in all regions the incidence of physiological stress increases greatly, and average mortality rates increase appreciably. Most of these agricultural populations have high frequencies of porotic hyperostosis and cribra orbitalia, and there is a substantial increase in the number and severity of enamel hypoplasias and pathologies associated with infectious disease. Stature in many populations appears to have been considerably lower than would be expected if genetically-determined maxima had been reached, which suggests that the growth arrests documented by pathologies were causing stunting... Incidence of carbohydrate-related tooth disease increases, apparently because subsistence by this time is characterized by a heavy emphasis on a few starchy food crops.

Infectious disease increased upon agricultural intensification:

Most [studies] conclude that infection was a more common and more serious problem for farmers than for their hunting and gathering forebears; and most suggest that this resulted from some combination of increasing sedentism, larger population aggregates, and the well-established synergism between infection and malnutrition.

There are some apparent exceptions to the trend of declining health with the adoption of intensive agriculture. In my observation, they fall into two general categories. In the first, health improves upon the transition to agriculture because the hunter-gatherer population was unhealthy to begin with. This is due to living in a marginal environment or eating a diet with a high proportion of wild plant seeds. In the second category, the culture adopted rice. Rice is associated with less of a decline in health, and in some cases an increase in overall health, than other grains such as wheat and corn. In chapter 21 of the book Ancient Health: Bioarchaeological Interpretations of the Human Past, Drs. Michelle T Douglas and Michael Pietrusewsky state that "rice appears to be less cariogenic [cavity-promoting] than other grains such as maize [corn]."

One pathology that seems to have decreased with the adoption of agriculture is arthritis. The authors speculate that it may have more to do with strenuous activity than other aspects of the lifestyle such as diet. Another interpretation is that the hunter-gatherers appeared to have a higher arthritis rate because of their longer lifespans:

The arthritis data are also complicated by the fact that the hunter-gatherers discussed commonly displayed higher average ages at death than did the farming populations from the same region. The hunter-gatherers would therefore be expected to display more arthritis as a function of age even if their workloads were comparable [to farmers].

In any case, it appears arthritis is normal for human beings and not a modern degenerative disease.

And the final word:

Taken as a whole, these indicators fairly clearly suggest an overall decline in the quality-- and probably in the length-- of human life associated with the adoption of agriculture.

Blackberry Server Log Analysis

Hello Reader,

        To the end user the blackberry server is what their blackberries get their email from. But there are multiple methods of communication a blackberry is capable of relaying, logging and recovering by an informed investigator.

1. Email
   
2. SMS
   
3. Blackberry Messenger
   
4. PIN Messaging
   
5. Phone Call Log
   

The blackberry server will create the following type of logs in total:

• ALRT - BES Alert
  
• BBIM - BlackBerry Instant Messenger (4.1)
  
• BBUA - BlackBerry User Administration Service (BRK)
  
• CBCK - Backup Connector
  
• CEXC - Exchange PIM Connector
  
• CMNG - Management Connector
  
• CTRL - BlackBerry Controller
  
• DISP - BlackBerry Dispatcher
  
• MAGT - BlackBerry Mailbox Agent (aka BlackBerry Messaging Agent)
  
• MDAT - Mobile Data Services
  
• MDSS - MDS Services (4.1)
  
• MDSS-DISCOVERY - MDS Services (4.1)
  
• POLC - Policy Service
  
• ROUT - Router
  
• SYNC - BlackBerry SyncServer
  
• PhoneCallLog (4.1)
  
• PINLog (4.1)
  
• SMSLog (4.1)
  

  
   

(Thanks Wikipedia http://en.wikipedia.org/wiki/BlackBerry_Enterprise_Server)

1. Email – The blackberry server logs will store when a device connects to the server to pull email and delivers mail and other messages. When you are dealing with a time sensitive issue of did a message get received/sent/deleted from a blackberry these logs may be your best source of evidence if a enough time has passed to let the message be deleted from the blackberry device itself before imaging. Regarding imaging blackberry devices I personally use Paraben's device seizure (found here http://www.paraben-forensics.com/catalog/product_info.php?products_id=405) to do the device acquisition.
   

   The MAGT log with a name like "<Blackberry server name>_MAGT_01_20090108_0001.txt" will be a listing of every action taking place regarding the delivery of messages/calendar items/etc.. to every blackberry communicating with the server. You will find them in multiple segments per day. This is the place to look if the timing of the delivery/deletion/forwarding of a message from a blackberry is at issue.
   

2. SMS – When configured to do so the blackberry server will log into a csv file the following fields:
   

   "Name.ID,"Email Address","Type of Message","To","From","Callback Phone Number","Body","Send/Received Date","Server Log Date","Overall Message Status","Command","UID"
   

   With a file name such as "SMSLog_20070927.csv" with one log being created per day.
   

   The file is written out in utf16 so be aware of that if you to parse it out.
   

 

1. Blackberry Messenger – This is a blackberry IM program that according to my current research will not be logged on the server without creating an account to relay all the messages to. Without prior configuration the only way to recover these messages is from the device itself.
   

 

1. PIN Messaging – This is the PIN messaging log. PIN Messages are those messages sent between blackberries directly through the blackberry server directed to the PIN assigned to the blackberry by the server. By default the blackberry server will log into a csv the following fields:
   

   "Name.ID,"PIN","Email Address","Type of Message","To","Cc","Bcc","From","Subject","Body","Send/Received Date","Server Log Date","Overall Message Status","Command","UID"
   

   With a file name such as "PINLog_20070927.csv" with one log being created per day.
   

   The file is written out in utf16 so be aware of that if you to parse it out. I'm writing a parser now to dump them all into a mysql database that I will post when I correct a weird multiline message that I've found. Special bonus it's a perl script that correctly handles utf16.
   

 

1. Phone Call Log – This is a log of all of the calls being made out of the blackberry devices, note this only applies to calls made on blackberries connected to this blackberry server. This includes missed calls, outgoing calls and incoming calls that I've seen to date. By default the blackberry server will log into a csv the following fields:
   

   "Name.ID","Type of Call","Name","Phone Number","Start Date","Server Log Date","Elapsed Time","Memo","Command","UID"
   

   With a file name such as "PhoneCallLog_20070927.csv" with one log being created per day.
   

   The file is written out in utf16 so be aware of that if you to parse it out.
   

All of the CSV files will load into excel directly if you import them, otherwise if there is a large number of dates in question I would recommend parsing them into some kind of database so you can pull records by the user's name or PIN.

Depending in the current configuration of the blackberry server after the date in question or the changes you make to a server now in preparation (if you are internal) a large amount of responsive data that the user may not believe exists will be available to you. Don't expect your blackberry admin to be aware of this data existing but make sure to ask for a copy of the log director regardless.

Kumis Kucing, Obat Ginjal Hingga Sifilis

KUMIS KUCING: Ampuh untuk penyakit ginjal

Tanaman obat satu ini memang sudah dikenal punya banyak khasiat. Ciri-cirnya berupa tumbuhan berbatang basah yang tegak. Berbagai istilah untuk menyebut tanaman ini, mulai kidney tea, plants/java tea (Inggris), giri-giri marah (Sumatera), remujung (Jawa Barat dan Jawa Timur) dan songot koneng (Madura0.

Meski kini telah tersebar ke wilayah Asia dan Australia, tumbuhan yang memiliki nama latin Orthosiphon Stamineus awalnya berasal dari wilayah Afrika Tropis. Masyarakat mengenal tanaman ini sebagai obat penyakit batu ginjal, asam urat, batuk, encok, masuk angin, sembelit, radang ginjal, kencing manis, albuminuria, hingga sifilis.

Khasiat tersebut didapat dari daunnya yang mengandung kadar kalium (boorsma) yang cukup tinggi. Ia juga mengandung glikosida orthosifonin, yang berkhasiat melarutkan asam urat, fosfat dan oksalat dari tubuh. Terutama dari kandung kemih, empedu dan ginjal.

Dalam perkembangan dunia farmasi kumis kucing juga digunakan sebagai bahan dasar obat-obatan modern, Tanaman ini mulai berkembang luas setelah banyak permintan dari industri farmasi dan jamu dalam negeri. Alhasil kini tidak terlalu sulit untuk mencari kumis kucing di toko-toko obat, apotik, atau bahan suplemen.

Tanaman obat ini rasanya manis namun sedikit pahit. Salah satu resep sederhana mengobati penyakit infeksi ginjal dan hipertensi, cuci 30 gram herba segar kumis kucing, herba daun sendok dan rumput lidah ular. Rebus itu semua dalam tigha gelas air sampai hanya tersisa satu gelas. Setelah dingin, saring airnya lalu diminum setengah gelas sebanyak dua kali sehari.

Bagi yang menderita infeksi saluran kencing, sering buang air kecil (volume sedikit dan anyang-anyangan), bisa dicoba penyembuhannya dengan ramuan herba segar daun kumis kucing, meniran, dan akar alang-alang masing-masing 30 gram lalu dicuci sampai bersih. Bahan-bahan tersebut selanjutnya dipotong-potong seperlunya lalu direbus dalam tiga gelas air hingga hanya tersisa setengahnya. Setelah dingin, air tersebut kemudian diminum masing-masing setengah gelas sebanyak tiga kali sehari.

Untuk mengobati kencing batu, 90 gram herba kumis kucing dicuci bersih lalu direbus dalam satu liter air hingga mendidih dan tersisa 750 cc. Setelah dingin, minumlah sebanyak tiga kali sehari masing-masing sepertiga bagian. Minumlah ramuan ini hingga penyakitnya berkurang, dengan tetap konsultasi ke dokter untuk mengetahui perkembangan kesehatan anda./berbagai sumber/itz
http://republika.co.id/berita/37105/Kumis_Kucing_Obat_Ginjal_Hingga_Sifilis

SehatHerbal.Com menyediakan ektrak Kumis Kucing, harga 75rb/50 kapsul. Info lebih lanjut 081310343598 atau sehatherbal@gmail.com

When is powerpoint file not a powerpoint file?

Dear Reader,

    Today we will not discuss OWA again. Rather we will discuss a peculiar case of a temporary file that lead into a journey of discovery into Microsoft internals.

I was working a case Lockheed Martin v L-3, et al (6:05-cv-1580-Orl-31KRS), which has since settled, which involved amongst other things several files that were contained on a CDROM and accessed on a laptop. On this CDROM were lots of files and one of the issues in the case revolved around which if any of those files had been accessed on the laptop showing which information may have been exposed and/or transferred to the rest of the company.

So like a good computer forensic investigator I reviewed all of the recently used registry entries, the lnk files and the user assist records regarding any of the files known to have come from that CD. One of the files in particular had an extension of 'shs'. 'shs' files are scrap files made when a user is copy and pasting items such as powerpoint slides, in this case it was a powerpoint slide. So I found the entries referencing that this specific shs file, which when loaded into powerpoint is a single slide, was accessed on three occasions. At times corresponding to these accesses I found a temporary file on the desktop that contained keywords relevant to the case and appeared by content to be a powerpoint document but no matter what tool I used it would not open it. All of my file signature tools regarded the file as 'data' with no specific file type.

The opposing investigator had the system this CD was burned form and thus had one significant advantage over me, he knew that the temporary file was related to the scrap file contained on the CD. Sure enough when I renamed this temporary file that no tool regarded as anything to an extension of 'shs' it opened up right away in powerpoint revealing the same slide as contained in the shs file on the CDROM. This left the question, how did this file get created on desktop?

So I keep reiterating the CDROM for a reason, normally when temporary files are created in office documents they are created in the same directory as the file you are working with. When you are working on a file in a read only directory, like a CDROM, it will instead create the temporary file on the desktop. So mystery of why the file exists solved! We already knew the scrap file was accessed and now we have corresponding temporary files to show that on the desktop.

The opposing expert was not deterred so easily, he pointed out that the temporary file sh60.tmp had the numeric 60 in it meaning in his opinion that it had in fact been accessed many more times than 2 since the 60 is actual hex for 96 so he claimed it was accessed approximately 95 times. This would a very large amount of accesses for a single powerpoint slide no matter what the contents so I was skeptical. We did some research to determine what creates the temporary file and found out it was a shared Microsoft library that many, many applications use including the application of hotfixes and service packs. Each time a temporary file is created by anything that uses this shared temporary file library the counter is incremented thus explaining how we had such huge jumps between our temporary files left on the desktop and the discrepancy of the offset to the number of times the rest of the forensic artifacts showed the file being accessed.

So the morale of the story is, sometimes a temporary file isn't just a temporary file so be careful out there and always test your assumptions. In this case both myself for assuming the temporary file was just a temporary file and the opposing expert for assuming that nothing else would change the counter on the temporary file got to learn an important lesson.

Using OWA logs to make your civil case

Hello Readers,

   
I will not be talking about OWA every time.

 In our prior time together we discussed parsing OWA logs to determine who has been accessing someone else's account. For criminal prosecution (unauthorized access) or internal investigations this might be enough, but for investigations involving the civil court system you need to show that the information accessed and the time they accessed it corresponds to some claim such as tortuous interference.

The same OWA logs we looked at last time will allow you to do this, with some caveats. When you see a single entry to access an item such as:

" /exchange/USA/Attach/read.asp?obj=000000007C6A5AC4439BD948B2EDEC2B4701083907007DC649E6901ED711982E0002B3A2389C000000C0411400007DC649E6901ED711982E0002B3A2389C0000013340B20000&att=ATT-0-C9D9D5C63632DD439C1AF3C6A4B4AF8A-TOD9D1%7E1.PPT"

This is a request to open up an email attachment, the obj show here in the query is a unique identifier for the item within the exchange database. This means that if you replay that url while, and this is important, logged in as that user you will be able to bring up the exact same message that was viewed at that time (If it was not deleted). If you attempt to access this object while logged in as any other user it will deny you, even if you login as the administrator. If you want to make sure the messages exist (meaning not deleted) restore the exchange server from a backup tape referring to the time period the message we viewed and replay it to the restored server.

 

These are the following asp pages that can be called by an OWA user according to about two years worth of logs from one case I worked:

/exchange/USA/LogonFrm.asp

/exchange/USA/root.asp

/exchange/USA/Navbar/nbInbox.asp

/exchange/USA/inbox/main_fr.asp

/exchange/USA/inbox/peerfldr.asp

/exchange/USA/inbox/title.asp

/exchange/USA/inbox/messages.asp

/exchange/USA/inbox/commands.asp

/exchange/USA/forms/IPM/NOTE/frmRoot.asp

/exchange/USA/forms/IPM/NOTE/read.asp    

/exchange/USA/logoff.asp

/exchange/USA/Attach/read.asp

/exchange/USA/logon.asp

/exchange/USA/forms/IPM/NOTE/commands.asp

/exchange/USA/forms/IPM/NOTE/cmpTitle.asp

/exchange/USA/forms/IPM/NOTE/cmpMsg.asp

/exchange/USA/errinbox.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/RESP/frmRoot.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/RESP/read.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/RESP/commands.asp

/exchange/USA/options/set.asp

/exchange/USA/calendar/main_fr.asp

/exchange/USA/calendar/title.asp

/exchange/USA/calendar/events.asp

/exchange/USA/calendar/appts.asp

/exchange/USA/calendar/pick.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/REQUEST/frmRoot.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/REQUEST/mrread.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/REQUEST/commands.asp

/exchange/USA/contacts/main_fr.asp

/exchange/USA/contacts/title.asp

/exchange/USA/contacts/peerfldr.asp

/exchange/USA/contacts/messages.asp

/exchange/USA/contacts/commands.asp

/exchange/USA/finduser/root.asp

/exchange/USA/finduser/fumid.asp

/exchange/USA/finduser/fumsgdef.asp

/exchange/USA/finduser/fumsg.asp

/exchange/USA/finduser/details.asp

/exchange/USA/forms/REPORT/DR/frmRoot.asp

/exchange/USA/tshoot.asp

 

Of these we care about the following:

This is a user logging in - /exchange/USA/LogonFrm.asp

This is a user requesting to read a specific message - /exchange/USA/forms/IPM/NOTE/read.asp

This is a user opening an attachment - /exchange/USA/Attach/read.asp

This is a user composing a new message - /exchange/USA/forms/IPM/NOTE/cmpMsg.asp

This is a user reading a message request - /exchange/USA/forms/IPM/SCHEDULE/MEETING/REQUEST/mrread.asp

 

If you parsed our just these commands identified by the logged in user you could see what specific emails, meetings, and attachments a webmail user had viewed, created, sent using OWA and the time on which they did. Using these times and matching the ip address to the suspect you can then combine the information accessed, to the time it was accessed, to the benefit they received by having that information at that time.

 

As an example, in the case Exel Transporation Services Inc v. Total Transportation Services LLC et al (3:06-cv-00593) I used this to uncover a large industrial espionage case. First I used the program in the prior post to find which accounts were being used to access other email accounts in the system. Then I looked up the IP Addresses and found out one of them was actually registered to one of the ex-executives of exel directly on ARIN. We then broke out just the accesses used by those accounts (I mean really why else would the blackberry server administrative account or the voicemail server be logging into a website .. something we had to explain to counsel) into a database divided up by type of item accessed (email, attachment, calendar).

 

The next part was more difficult, we had to replicate their exchange network, AD controller, etc.. to restore their exchange server backups and replay those months to find out what our suspects were viewing. This included almost every decision maker within exel and according to the filings I read about $120 million dollars in lost business as they were able to read the contracts sent to customers during a bidding process and always beat them. We fed the urls into a GUI automation tool that would interact with the web browser and save the emails and attachments into MHT (full website archive) files for the lawyers review. I couldn't within the time frame get a pure perl program to work the way I needed it to.

 

For more information read this news article:

http://www.bizjournals.com/memphis/stories/2006/08/21/daily30.html

 

The case was settled out of court with a public apology written by TTS. The final stone in my understanding that led to settlement was when we matched the TTS OWA logs to the Exel OWA logs and showed the suspects logged into the TTS server with their real user name, with the same ip and at the same date/time, as they were logged into the Exel OWA server with their administrative accounts.

 

I hope this was useful, I can post parsers I wrote if you think it would help you in the future.

 

 

The Fun Continues

2009 Soiled Sport Trail Series

Start Times: 8:00 am sharp
(or maybe 8:02 because Cathy Q is late again)

OUS race start times, you need to confirm for each race @ http://www.ouser.org/

May 16th,
Meadowlilly Trails


May 23 rd
Komoka Trails
or
Ontario Ultra Series Race #4
Sulphur Springs 10K, 25K, 50K, 50M, 100M

May 30th
Medway Trails

June 6th
Fanshawe Trails
or
OUS Series Race #5
Kingston 6hour endurance race

June 13th
Westminister Ponds
or
There is a new trail race, http://www.trailsdaywoodstock.ca/
1 Mile, 5K, 1/2 marathon
*Trail points ONLY if you wear Vulture Bait or Soiled Sport running shirts during the event

June 20th
Kains Woods
or
OUS Race #6
Niagara Ultra 1/2 marathon, marathon & 50k

June 27th
Medway Trail

July 4th
Medowlilly Trai
or
OUS Race #7
Creemore Vertical Challenge (please note the word Vertical.. this means hills, long never ending hills)

July 11th
Gibbons Park Trail

July 18th
Killaly Trail

July 25th
Komoka Trail

August 1st
Fanshawe Trail

Margarine and Phytosterolemia

Margarine is one of my favorite foods. To rip on. It's just so easy!

The body has a number of ways of keeping bad things out while taking good things in. One of the things it likes to keep out are plant sterols and stanols (phytosterols), cholesterol-like molecules found in plants. The human body even has two enzymes dedicated to pumping phytosterols back into the gut as they try to diffuse across the intestinal lining: the sterolins. These enzymes actively block phytosterols from passing into the body, but allow cholesterol to enter. Still, a little bit gets through, proportional to the amount in the diet.

As a matter of fact, the body tries to keep most things out except for the essential nutrients and a few other useful molecules. Phytosterols, plant "antioxidants" like polyphenols, and just about anything else that isn't body building material gets actively excluded from circulation or rapidly broken down by the liver. And almost none of it gets past the blood-brain barrier, which protects one of our most delicate organs. It's not surprising once you understand that many of these substances are bioactive: they have drug-like effects that interfere with enzyme activity and signaling pathways. For example, the soy isoflavone genistein abnormally activates estrogen receptors. Your body does not like to hand over the steering wheel to plant chemicals, so it actively defends itself.

A number of trials have shown that large amounts of phytosterols in the diet lower total cholesterol and LDL. This has led to the (still untested) hypothesis that phytosterols lower heart attack risk. The main problem with this hypothesis is that although statin drugs do lower LDL and heart attack risk, not all interventions that lower LDL lower risk.  LDL plays an important role in heart attack risk, but it's not the only factor.  Statins have a number of biological effects besides lowering LDL, and some of these probably play a role in its ability to protect against heart attacks.

Lowering total cholesterol and LDL through diet and drugs other than statins does not reliably reduce mortality in controlled trials. Decades of controlled diet trials showed overall that replacing saturated fat with polyunsaturated vegetable oil lowers cholesterol, lowers LDL, but doesn't reliably reduce the risk of cardiovascular disease. Soy contains a lot of phytosterols, which is one of the reasons it's heavily promoted as a health food.

All right, let's put on our entrepreneur hats. We know phytosterols lower cholesterol. We know soy is being promoted as a healthier alternative to meat. We know butter is considered a source of artery-clogging saturated fat. I have an idea. Let's make a margarine that contains a massive dose of phytosterols and market it as heart-healthy. We'll call it Benecol, and we'll have doctors recommend it to cardiac patients.

Here are the ingredients:

Liquid Canola Oil, Water, Partially Hydrogenated Soybean Oil, Plant Stanol Esters, Salt, Emulsifiers, (Vegetable Mono- and Diglycerides, Soy Lecithin), Hydrogentated Soybean Oil, Potassium Sorbate, Citric Acid and Calcium Disodium EDTA to Preserve Freshness, Artificial Flavor, DL-alpha-Tocopheryl Acetate, Vitamin A Palmitate, Colored with Beta Carotene.

Nice.

And I haven't even gotten to the best part yet. There's a little disorder called phytosterolemia that may be relevant here. These patients have a mutation in one of their sterolin genes that allows phytosterols (including stanols) to pass into their circulation more easily. They end up with 10-25 times more phytosterols in their circulation than a normal individual. What kind of health benefits do these people see? Premature atherosclerosis, an early death from heart attacks, abnormal accumulation of sterols and stanols in the tendons, and liver damage.

Despite the snappy-looking tub, margarine is just another industrial food-like substance that I am highly suspicious of. In the U.S., manufacturers can put the statement "no trans fat" on a product's label, and "0 g trans fat" on the nutrition label, if it contains less than 0.5 grams of trans fat per serving. A serving of Benecol is 14 grams. That means it could be up to 3.5 percent trans fat and still labeled "no trans fat". This stuff is being recommended to cardiac patients.

When deciding whether or not a food is healthy, the precautionary principle is in order. Margarine is a food that has not withstood the test of time. Show me a single healthy culture on this planet that eats margarine regularly. Cow juice may not be as flashy as the latest designer food, but it has sustained healthy cultures for generations. The U.S. used to belong to those ranks, when coronary heart disease was rare.