CIS 484 Exam
Orphan Files
"Orphan" Files in NTFS Files whose parent directory MFT records has been overwritten May come across when recovering deleted files using MFT Most tools identify these automatically (FTK Imager, WinHex, etc.) "Orphan" Files in NTFS • How does this happen? 1. Directory with files is deleted 2. MFT record of parent directory is reused by a new file, but the MFT records of its children remain in tact • Child MFT record will be referencing a parent directory that doesn't exist
Image Validation
1. Calculate hash of the original evidence 2. Acquire the evidence disk 3. Calculate hash of the image file 4. Compare the two hashes • Are they identical? • Some tools make this process easier for the examiner by combining some of the steps Critical aspect of overall process • Is the image file identical to the original disk? • Determined through hashing • FTK Imager has built-in functionality for verification (most/all forensic imaging tools do)
Steps to finding sender
1. Determine service of sending email (Gmail, Yahoo!, Hotmail, etc.) 2. Obtain information from email header or service provider about the sending email address 3. Figure out what ISP owns the sending IP address 4. Use the IP address from Step 2 (and the email header) to obtain information from the Internet Service Provider • What is the subscriber name associated with this IP address at the date and time the email was sent?
Cloud Forensics
Basic Concepts Cloud forensics is considered a subset of network forensics • Cloud forensics can have three dimensions: • Organizational - addresses the structure of the cloud • Legal - covers service agreements and other jurisdictional matters • Technical - deals with procedures and specialized applications designed to perform forensics recovery and analysis in the cloud Basic Concepts Forensic tool capabilities needed to handle acquiring data from a cloud: • Forensic data collection - must be able to identify, label, record, and acquire data from the cloud • Elastic, static, and live forensics - must be able to expand and contract their storage capabilities • Evidence segregation - different businesses and users share the same applications and storage space • Investigations in virtualized environments - should have the capability to examine virtual systems Legal Challenges When investigating a cloud system, consider factors involving a CSP's relationship with cloud users • This section explains: • A CSP's contract obligations with cloud users • How warrants and subpoenas are applied to CSPs and users Challenges in conducting cloud forensics • Architecture • Data collection • Analysis of cloud forensic data • Anti-forensics • Incident first responders • Role management • Legal issues • Standards and training Tools Few tools designed for cloud forensics were available • Many digital, network, and e-discovery tools can be combined to collect and analyze cloud data • Some vendor with integrated tools: • Guidance Software EnCase eDiscovery • AccessData Digital Forensics Incident Response • F-Response The cloud has three service levels: • Software as a service (SaaS) - applications are delivered via the Internet • Platform as a service (PaaS) - an OS has been installed on a cloud server • Infrastructure as a service (IaaS) - customers can rent hardware and install whatever OSs and applications they need Deployment methods for a cloud: • Public - accessible to anyone • Private - can be accessed only by people who have the necessary credentials • Community - a way to bring people together for a specific purpose • Hybrid - enables a company to keep some information private and designate other files as public or community information
Live Imaging
Capturing an image while booted into the target computer's operating system If you won't be able to decrypt the image, one option is live imaging the C:\ logical volume
Directory Structure
Check Screenshots Note: Reparse Points Reparse points are pointers to other locations Many implemented for backwards compatibility • \Documents and Settings à \Users Same idea as a symbolic link in *nix
Client/Server Architecture
Client/server architecture • Server OS and e-mail software differs from those on the client side
Clusters
Clusters • Cluster: storage units used by Microsoft file systems (where files are stored) • Data needs to be stored in an addressable space for the file system • Sectors not used for addressing within file systems • Consist of one or more sectors (often 8) • Reside only within a partition • Cluster number is referred to as the logical address • When a file is saved, it is saved to one or more clusters within the file system • Clusters can only be allocated to one file at a time • You can't save two files to the same cluster*
Proprietary Image Formats
Digital container file for forensic image Advantages • Ability to enable compression • Can integrate metadata into the image file: examiner name, case number, etc. • Usually faster to verify - can make overall imaging process faster Disadvantages • Potential inability to share an image between different tools - not really an issue with E01 though AD1: specific to Access Data products • FTK Imager & FTK (Forensic Toolkit) • Container file for specific folders and files • Allows file system metadata to remain intact • Great for targeted collections, but does not transport well between tools
Public Sector Investigations
Digital investigations fall into two categories: • Public-sector investigations • Private-sector investigations Public-sector investigations involve government agencies responsible for criminal investigations and prosecution When conducting public-sector investigations, you must understand laws on computer-related crimes including: • Standard legal processes • Guidelines on search and seizure • How to build a criminal case Public-sector and private-sector investigations differ; public-sector typically require search warrants before seizing digital evidence
Directory Entry
Directory entry: contains the file name, size, starting address of the file content, and other metadata of each file and directory Each file and directory (folder) is allocated a directory entry File name has to comply with 8.3 naming convention to fit in standard directory entry • 8.3 = 8 character name + 3 character extension
Types of Email Fraud
E-mail fraudsters use phishing, pharming, and spoofing scam techniques
MFT record attributes
Each record contains MFT record attributes, which describe details about the file or directory: • $STANDARD_INFORMATION • $FILE_NAME • $DATA MFT record attributes do not have a set location, so you need to walk through the record to find each attribute $MFT Attributes • Each attribute has a defined structure: • Begins with an attribute header: • Attribute type identifier: bytes 0-3 • Size of the attribute: bytes 4-7 • "Resident" flag: byte 8 • Use the size of the attribute to find the next attribute in the record • Remember Little Endian! • MFT record attributes do not have a set location, so you need to walk through the record to find each attribute Attribute Resident Flag • Tells whether the entire attribute is stored within the MFT record (as opposed outside the MFT) • 0x00 = resident; entire attribute is stored within the $MFT record • 0x01 = non-resident; entire attribute could not be stored within the $MFT record and is stored in clusters outside $MFT • Non-resident most commonly associated with $DATA attribute
FAT File system
FAT File Systems • A FAT file system contains: • Boot sector (aka volume boot record) • Primary and backup file allocation table • Root directory - the root of the file system • Data area - storage location for all files and directories FAT File System Versions • FAT12, FAT16, FAT32 • The main difference between these is the size of the entries in the FAT • FAT = file allocation table • exFAT - offers significant upgrades to FAT but not widely used yet FAT File Systems • Two important data structures: • File allocation table: identifies the next cluster in a file • Directory entry: contains the file name, size, starting address of the file content, and other metadata of each file and directory FAT File Systems • Each file and directory (folder) is allocated a directory entry • File content is stored in clusters • If a file is allocated more than one cluster, the clusters associated with the file are found using the file allocation table Saving a File in FAT File Systems 1. Locate the FATs, data area, and root directory using the VBR 2. Find the directory entry associated with the folder where you will be saving the file and locate the clusters associated with this directory 3. Create a directory entry for the file you're saving in a cluster allocated to the parent directory and write the file name, size, etc. to the entry 4. Search the file allocation table for free clusters where the file can be saved and populate the available entries appropriately (next cluster number of file or end of file value) 5. Write the starting cluster number (obtained from the FAT) to the file's directory entry you created in Step 3 File Deletion in FAT File Systems • Directory entry is marked as unused • First byte changed to 0xE5 • FAT entries for clusters allocated to the file are set to 0 Recovering Deleted Files in FAT File Systems • Can use directory entry of deleted file to identify the starting cluster and size of the deleted file • Since FAT entries are zeroed when a file is deleted, we have no cluster information past the starting cluster • Can read only unallocated clusters after the starting cluster, using the file size as a stopping point
File Carving
File Carving • When MFT record of a deleted file has been overwritten or the file system doesn't allow for deleted file recovery through means similar to the approach we just discussed, a method called "file carving" should be employed Options for Recovery 1. Read free/unallocated MFT records • Attempt to read $DATA attribute from MFT record - data runs 2. File carving • Use a known file signature or format to recover a file from unallocated clusters File Carving Most file types have a defined signature, allowing us to search for this signature in unallocated space Header: static set of bytes/values at the beginning of a file Most file types have a defined header Footer: static set of bytes/values at the end of a file Not all files types have a defined footer File Carving File carving is the process of scanning sectors/clusters, searching for headers/footers associated with file types of interest If a signature is located, save the chunk of data containing the signature to a separate file 1. Specify byte values (i.e. signature) of header/footer for file type of interest. 2. Scan each sector or cluster of the drive searching for the header byte values. • When header is found: if a footer was specified, scan down until the byte values are equal to the footer. Then extract the data ranging from the header to footer. • If no footer is specified, extract default number of bytes after header (e.g. 4 KB, 1 MB, etc.) Free File Carving Tools • Foremost: very flexible, designed for forensics (great auditing) • Photorec: flexible, designed for data recovery and forensics • This is built in to Autopsy! • WinHex: not as flexible as foremost, but still offers many options • Many commercial tools Disadvantages of File Carving Carving only extracts the content of the file (i.e. the $DATA attribute) Timestamps, file name, etc. from MFT record are lost because of this Carving relies on linear extraction methods (usually) - cannot deal with deleted files that are fragmented around one another
File Systems
File System Responsibilities • What must a file system do? 1. Keep track of files § Track files/folders - name, location on disk, etc. 2. Track cluster allocation status - what areas are available for storing files? § This must be updated as files are saved and deleted Data needs to be stored in an addressable space for the file system Sectors not used for addressing within file systems When a file is saved, it is saved to one or more clusters within the file system FAT File Systems • A FAT file system contains: • Boot sector (aka volume boot record) • Primary and backup file allocation table • Root directory - the root of the file system • Data area - storage location for all files and directories Two important data structures: • File allocation table: identifies the next cluster in a file • Directory entry: contains the file name, size, starting address of the file content, and other metadata of each file and directory Each file and directory (folder) is allocated a directory entry • File content is stored in clusters • If a file is allocated more than one cluster, the clusters associated with the file are found using the file allocation table VBR gives layout of the file system • Details about the file system • Sectors per cluster, size of file system, etc. • Location of critical file system data structures FAT File System Versions • FAT12, FAT16, FAT32 • The main difference between these is the size of the entries in the FAT • FAT = file allocation table • exFAT - offers significant upgrades to FAT but not widely used yet FAT12: 12-bit entries • FAT16: 16-bit entries • FAT32: 32-bit entries Saving a File in FAT File Systems 1. Locate the FATs, data area, and root directory using the VBR 2. Find the directory entry associated with the folder where you will be saving the file and locate the clusters associated with this directory 3. Create a directory entry for the file you're saving in a cluster allocated to the parent directory and write the file name, size, etc. to the entry 4. Search the file allocation table for free clusters where the file can be saved and populate the available entries appropriately (next cluster number of file or end of file value) 5. Write the starting cluster number (obtained from the FAT) to the file's directory entry you created in Step 3 File Deletion in FAT File Systems • Directory entry is marked as unused • First byte changed to 0xE5 • FAT entries for clusters allocated to the file are set to 0 Recovering Deleted Files in FAT File Systems • Can use directory entry of deleted file to identify the starting cluster and size of the deleted file • Since FAT entries are zeroed when a file is deleted, we have no cluster information past the starting cluster • Can read only unallocated clusters after the starting cluster, using the file size as a stopping point
File Allocation table
File allocation table: identifies the next cluster in a file If a file is allocated more than one cluster, the clusters associated with the file are found using the file allocation table
Footers
Footer: static set of bytes/values at the end of a file Not all files types have a defined footer If no footer is specified, extract default number of bytes after header (e.g. 4 KB, 1 MB, etc.)
GPT
GUID Partition Table (GPT) • Used in Extensible Firmware Interface, 64-bit systems, and larger drives Partitioning system used by EFI and larger drives • Starts in sector 1 of disk • Sector 0 contains protective MBR • Each partition table entry is 128 bytes • Allows for much larger partitions • How? • Backup copy stored at disk end
Headers
Header: static set of bytes/values at the beginning of a file Most file types have a defined header When header is found: if a footer was specified, scan down until the byte values are equal to the footer. Then extract the data ranging from the header to footer.
Big vs Little Endian
Little Endian v. Big Endian • Refers to the order in which values are stored on a disk • Critical in properly interpreting data • Little Endian: least significant byte first (little end first, read right to left) • Intel-based machines (Windows, Mac OS X, Linux, etc.) • Big Endian: most significant byte first (big end first, read left to right) • PowerPC machines (older MAC OS, FreeBSD, etc.) Big endian: read left to right • Little endian: read right to left
DD/Raw images
Makes it possible to write bit-stream data to files Advantages • Most computer forensics tools and many non-forensic tools can read raw format Disadvantages • Requires as much storage as original disk or data • Verification pass can be slower
NTFS
New Technology File System • NTFS = New Technology File System • Originated with Windows NT 3.51 (1993) - NTFS version 1.2 • NTFS updated & used in each version of Windows ànow version 3.1 (since XP) • Used prolifically throughout the industry Tracks name, location, and other metadata about files and directories using the master file table Tracks cluster allocation status using a system file ($BITMAP) Several other system files performing specific functions Everything is a file in NTFS - contrast to FAT NTFS Volume Boot Record • Stored in $Boot file • $MFT record number 7 • Only system file that has a static location àstored in first sector of the file system • Provides layout of file system • Sectors per cluster, number of sectors in file system, volume serial number, starting cluster of the $MFT • Backup copy of $Boot stored in the last sector of the volume NTFS Volume Name • The name given when the file system is formatted (or after) • Stored in $Volume file • Stored as attribute $VOLUME_NAME • This attribute should only be associated with this file NTFS $Bitmap • Tracks cluster allocation status • One bit for every cluster in the file system • If bit is 0, cluster is unallocated • If bit is 1, cluster is allocated • This file is updated as files and directories are created and deleted • View $Bitmap in WinHex NTFS Master File Table • Stored in $MFT file • $MFT is the heart of NTFS • Every file/folder has a record in the MFT • Starts with signature "FILE" • Contains one record per file or folder on the volume • Each record is typically 1024 bytes in size • Stores attributes about the file/folder • File name, parent directory, pointers to file data, file times, etc. NTFS Alternate Data Streams • Alternate data stream = ADS • Sometimes referred to as "a file within a file" • Additional $DATA attribute associated with a file • Additional $DATA attributes should be named • Forensic tools will pick these up NTFS $USNJrnl • NTFS change journal - used for file system resiliency • Stored in $Extend\$USNJrnl:$J ADS • Records when changes are made to files and directories • Creations, deletions, renames, and more • Amount of available history can vary NTFS $LogFile STORED IN ROOT OF VOLUME AS \$LOGFILE TRACKS CHANGES TO MFT METADATA (E.G. TIMESTAMPS) NTFS Journal Forensics • $LogFile + $USNJrnl:$J + $MFT • Useful in determining very granular events •Malware events, etc. • Identify when a file was deleted • Identify when files were wiped NTFS File Deletion File name is removed from parent directory index File's MFT record marked as available (bytes 22-23 of record) Clusters for non-resident data attributes marked as free (via $BITMAP file) NTFS File Deletion As long as clusters allocated to the file have not been overwritten and MFT record is still available, a deleted file can be fully recovered WITH its metadata MFT record NOT wiped All MFT record data remains in tact; allocation status is simply changed This means data runs are kept in tact • As opposed to FAT when the FAT table entries are cleared
Disk Partitions
Partition: a section of addressable sectors; logical drive (C:\, etc.)
Private Sector Investigations
Private-sector investigations focus more on policy violations Private-sector investigations involve private companies and lawyers who address company policy violations and litigation disputes • Example: wrongful termination Private-sector crimes can involve: • E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage Businesses can reduce the risk of litigation by publishing and maintaining policies that employees find easy to read and follow • Most important policies define rules for using the company's computers and networks • Known as an "Acceptable use policy" • Line of authority - states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence Business can avoid litigation by displaying a warning banner on computer screens • Informs end users that the organization reserves the right to inspect computer systems and network traffic at will During private investigations, you search for evidence to support allegations of violations of a company's rules or an attack on its assets • Three types of situations are common: • Abuse or misuse of computing assets • E-mail abuse • Internet abuse • A private-sector investigator's job is to minimize risk to the company
Registry hives
Registry hives may have unused/unallocated space within the hive file itself The five keys in regedit are actually individual registry hives or pointers to subkeys within hives Layout of the Registry: Hives • Registry is actually made up of multiple files called "hives" - each hive contains specific information about the system • SOFTWARE • SYSTEM • SAM • SECURITY • NTUSER.DAT • UsrClass.DAT Layout of the Registry • Where are the hives stored? • SOFTWARE, SYSTEM, SAM, SECURITY • \Windows\system32\config\ • NTUSER.DAT • XP: \Documents and Settings\\ • Vista+: \Users\\ • UsrClass.DAT • XP: \Documents and Settings\\Local Settings\Application Data\Microsoft\Windows • Vista+: \Users\\AppData\ Local\Microsoft\Windows
Scheduled Tasks
Scheduled Tasks Instructs the system to perform specific functions at a set interval Examples: limited disk defrag once a week, back up registry hives every 10 days, etc. Useful for system admins as well as malware authors Start malware at the same time every week/day, etc. Can help explain system activity at unusual or unexpected times Scheduled Tasks Must have admin rights to set up scheduled task When a scheduled task runs, it executed with SYSTEM level privileges Many programs use this as a way to stay updated - iTunes, Google Chrome Microsoft-Windows-TaskScheduler\Operational event log records tasks that have started and completed Scheduled Tasks: • Run with SYSTEM privileges • Can be used to help explain unusual activity • Popular with malware - persistence mechanism • Stored in XML format
Jump Lists
Similar to LNK files in functionality, but different for forensic examiners • Introduced in Windows 7 Jump Lists While lnk files still exist in Windows 7+, jump lists have been added to provide quick access to recent files Tracked based on the application used to open the file The jump list for each application is kept in a separate file Jump lists rely on LNK structure for storing data, so it's important to be familiar with LNK files Automatic Jump Lists Contains streams (embedded items) related to each accessed file Each stream is stored using the same format as LNK files • So each stream has the potential to store the same data that you would find in an LNK file Items are tracked either by most recently used (MRU) or most frequently used (MFU) (depending on the application) Types of Jump Lists • Automatic: created by the operating system when the user performs certain actions (such as opening a file) • Users\\AppData\Roaming\Microsoft\Windows\Recent\Automat icDestinations • Custom: created and maintained by the application • Users\\AppData\Roaming\Microsoft\Windows\Recent\CustomD estinations Jump Lists AppID The jump list associated with an application is saved according to the application's "AppID" 9839aec31243a928.automaticDestinationsms = Microsoft Excel 2010 x86 • 9839aec31243a928 is the AppID associated with Excel 2010 x86 App ID is based on the name of the process or set by the application Automatic Jump Lists: DestList In addition to the LNK streams within automatic jump list files, a stream called "DestList" tracks info about each LNK stream The DestList is a MRU/MFU list of files that includes a timestamp corresponding to the last time the referenced file was accessed A good deal of information can be found by combining a DestList entry with its associated LNK stream • Last time file was accessed + all info from LNK stream (target file information) Jump List Analysis Technique 1. Extract jump lists 2. Use JLECmd to parse a single jump list or a directory of jump lists • Example command syntax: JLECmd.exe -d "E:\extractedJumpLists" -q --csv "E:\output" 3. Note the AppID description (column F), LastModified (column L), Path (column O), Target Created/Modified/Accessed (columns U-W) • LastModified in column L is the last time file was opened/accessed (pulled from DestList)
SRUM Forensics
System Resource Usage Monitor (SRUM) • Tracks process and network statistics over time • Recorded in one-hour intervals • Introduced in Windows 8 • Can be used to connect user, process, and network activity • Enabled by default SRUM - What's Available • Full process path • Process owner (user account) • Bytes read/written • Process network usage (data uploaded/downloaded) • Network connectivity (time and duration of connection) SRUM Data Location • Windows\System32\sru\SRUDB.DAT - ESE Database • SOFTWARE hive also holds some data Leveraging SRUM • Correlating bytes transferred with a specific process • Better idea of process run time • More detail on process execution history • Correlate process execution to a user
Windows Registry
The Windows registry holds a wealth on information for forensic examiners What is the Windows Registry? • "A Windows database containing information about hardware and software configurations, network connections, user preferences, setup information, and other critical information" • In other words... • It's the way Windows keeps track of things in an attempt to make the user's experience as enjoyable as possible, while still maintaining an efficient means of storing system and application settings. Windows Registry • Examples of registry information • Recently accessed files from specific applications • Installed programs • USB Devices connected to the system • Recently executed programs • Application settings
Partition Tables
Types of Partitions Tables Disk Operating System (DOS) • Partitions defined in MBR • Partition size limited to 2 TB GUID Partition Table (GPT) • Used in Extensible Firmware Interface, 64-bit systems, and larger drives MBR Partition Table • Used to describe the layout of partitions on the disk • Each entry 16 bytes in length • Max of 4 entries for primary partition table • If more partitions are needed, use of extended partitions tables required • Each entry contains partition type, starting sector, ending sector, and more: Partition Table Entries GUID Partition Table (GPT) • Partitioning system used by EFI and larger drives • Starts in sector 1 of disk • Sector 0 contains protective MBR • Each partition table entry is 128 bytes • Allows for much larger partitions • How? • Backup copy stored at disk end Partition table describes type, size, and location of each partition
Mobile Device Forensics
Understanding Mobile Device Forensics (1 of 3) People store a wealth of information on cell phones • People don't think about securing their phones • Items stored on cell phones: • Incoming, outgoing, and missed calls • Multimedia Message Service (MMS; text messages) and Short Message Service (SMS) messages • E-mail accounts • Instant-messaging (IM) logs • Web pages • Pictures, video, and music files • Items stored on cell phones: (cont'd) • Calendars and address books • Social media account information • GPS data • Voice recordings and voicemail • Bank account logins • Access to your home • A search warrant is needed to examine mobile devices because they can contain so much information • Investigating cell phones and mobile devices is a challenging tasks in digital forensics • No single standard exists for how and where phones store messages • New phones come out about every six months and they are rarely compatible with previous models Mobile device forensics is becoming more important as these devices grow in popularity Biggest challenge is dealing with constantly changing phone models
VBR vs MBR
VBR v. MBR • MBR gives layout of the disk • Details about partitions: type, size, etc. • VBR gives layout of the file system • Details about the file system • Sectors per cluster, size of file system, etc. • Location of critical file system data structures • The starting address of a partition noted in the MBR is the address of the partition's VBR
Email Headers
View Email Headers Investigators should learn how to find e-mail headers • GUI clients • Web-based clients • After you open e-mail headers, copy and paste them into a text document • So that you can read them with a text editor • Become familiar with as many e-mail programs as possible • Often more than one e-mail program is installed Examining Headers Headers contain useful information • The main piece of information you're looking for is the originating e-mail's IP address • Date and time the message was sent • Filenames of any attachments • Unique message number (if supplied) Header Analysis • Every email server that forwards/sends an email in its route to the destination adds a "Received" line to the top of the email header • This means you will often see multiple "Received" lines • Received lines can be read from the bottom-up to determine the path of the email from the originating location to its destination Many email headers will contain multiple fields beginning with "X-" • These are custom header fields and are added by the program that created the message • May include "X-Originating-IP" • Once you have the originating IP address, you can look it up using one of many public resources: • Example: http://whois.domaintools.com/ • This can be used to identify the country of origin and more
Volume Shadow Copies
Volume Shadow Copies • According to Microsoft, a shadow copy is "a read-only point-in-time replica of an original volume's contents." • Implemented in Windows Vista and above • Technically in Windows Server 2003 as well • Allows user to restore previous versions of user files (in addition to system files) Volume Shadow Copies • Similar to system restore points in Windows XP, except that all files in the volume are "watched" by the volume shadow service (VSS) instead of only specific files/file types. • This results in the ability to restore an entire volume as it existed at a specific point in time. • Stored in System Volume Information folder, named by GUIDs When are VSCs Created? • On set intervals • When new software or hardware is installed • When a user manually creates one using the Windows built-in feature • Registry keys exist to dictate settings of VSS • VSS = volume shadow service How Do VSCs Work? • "Copy on write" technique • Volume Shadow Service (VSS) intercepts write calls from NTFS to copy affected area of file into volume shadow copy file • VSS then allows NTFS to proceed with the write • Uses index blocks and data blocks within each VSC to allow restoration features to work • VSS needs to know original location of each block within the volume... Volume Shadow Copies • Big picture: VSCs give forensic examiners access to previous versions of all files on a volume (as long as they're being watched by VSS) • This includes files that may have been wiped/overwritten! • Examining VSCs can yield significant findings that would otherwise be unavailable
Cache
Web Browsing Cache • Stores files downloaded from visited websites • Temporary Internet Files • Can contain images, videos, scripts, etc. • Includes an index that stores the URL from which each file was downloaded - and when • Can allow you to recreate a webpage as the user viewed it
Cookies
Web Browsing Cookies Small text files stored alongside the browsing history files/database Used to allow the web browser to have a customized experience on a website Different types of cookies, but can generally be used to identify: • Domains visited/accessed by the system • Number of times domain was loaded • Last time domain was visited Google Analytics Cookies • Used by Google Analytics for advanced tracking and statistics • Can contain additional info not available in traditional cookies • Keywords • Referrer • First and second most recent visit • Also contain number of visits
Web Browsing History
Web Browsing History • Extremely useful in assessing user activity • Can be used to determine • Visited websites • Search engine queries (e.g. Google) • Access to local system files • Location of artifacts vary based on OS and browser Web Browsing History Types History Cookies Cache Web Browsing History Details visits to websites • URL visited • Date/time visited • Number of times visited • Separated by user account May also record information about access to local files • Use this to correlate with LNK files and jumplists Not plain text - need to parse Web Browsing History • Manner of storage varies by browser • SQLite databases (Chrome, Firefox) • ESE databases (Edge) • Index.dat files (Internet Explorer) • Stored in the user account directory, usually under AppData Tools for Parsing Web History • Autopsy - supports Firefox, Chrome, and Internet Explorer • Bookmarks • Cookies • History • Downloads • Search queries
Web Searches
Web Searches Great for identifying what kind of data the user was looking for May be stored in separate section of browser history database If your parsing tool understands this, searches will be pulled out May need to manually parse search queries from URL strings Parsing Web Searches • "q=" is a common delimiter for identifying web searches, but may need to test specific search engine if encountered in web history
LNK Files
What are LNK Files? • According to Microsoft, "Shortcut or link (.lnk) files are very small files that provide a link to another file." • The file that the shortcut is a link to is called the "target file" • .lnk is the extension given to desktop icons, start menu shortcuts, and many other files that a user may often see How Are LNK Files Created? Installation of a program Desktop icons Start menu icons or shortcuts *Opening a file *Saving a new file Where Are LNK Files Stored? Windows Vista+ • Users\\AppData\Roaming\Microsoft\Office\Recent • Users\\AppData\Roaming\Microsoft\Windows\Recent These locations hold recent files opened or saved by a user Link files are also stored as desktop icons, start menu shortcuts, etc. Benefits of LNK File Analysis Provides information about: • Files accessed by the user • Devices that have been attached to the machine (thumb drives, etc.) Can provide evidence of files that are no longer available Big picture: helps portray user activity Recovering LNK Files Using WinHex • Open physical drive • Traverse partition • Navigate to folder of interest ('Recent' folder) • Recover .lnk files You can also mount an image file (and bypass the need to extract the LNK files) in FTK Imager LNK files are not stored in plain text, so we need to use a tool that understands the LNK file format to parse the relevant data Important Parts of LNK Files File system times of LNK file itself Creation and modified time Information embedded within the LNK file (aka internal metadata) File System Times of LNK Files • Creation Date: The date the target file was first accessed during the lifetime of the lnk file • Modified Date: The time when the target file was last opened LNK File Internal Metadata Size of target file Timestamps of target file at the time it was last opened Information about the volume that the target file is/was stored on Path to the target file Other potentially relevant info LNK Files By analyzing the .lnk files within a user account's "Recent" folder, you can get a pretty good idea of what files the user account has been accessing and when the files were accessed The path of the target file can be used to show access to a file on a removable storage device or network drive (e.g. F:\, G:\, etc.) The "LNK" structure is used prolifically throughout the Windows OS Understanding this format and what is available will help you when analyzing other locations LNK File Examination • Step 1: Extract LNK files • Step 2: Parse LNK files using LECmd • LECmd.exe -d "full_path_to_LNK_directory" -csv "full_path_to_output_directory" • Step 3: Analyze results of Step 2 • Note any important or relevant files
Memory Forensics
Why Memory Forensics? • Everything in the OS traverses RAM • Processes • Network connections • Open files/handles • Encryption keys • Volatile registry keys • Malware • Much of this may be lost when the system is powered off and/or not available from disk image Benefits of Memory Forensics • Access to data unavailable from other locations • Private browsing data • Encryption keys • Memory-only malware • Chat activity • Network connections Memory Acquisition Approaches • "Traditional" - run memory acquisition tool directly on host to dump memory • Remote - run memory acquisition tool against remote system (tool is run on analyst machine) • Virtual machine memory acquisition - acquire/copy VM memory files (.vmem, .mem, etc.) from VM host machine • VM will need to be suspended to create these files • Hibernation file or crash dump from host system (if they exist) Memory Acquisition - winpmem • Part of "pmem" memory acquisition utility suite • Loads kernel driver to read physical memory • Designed with reliable memory acquisition in mind • Uses advanced methodology of reading memory pages (PTE Remapping) Memory Analysis - Volatility • Python framework for memory forensics - supports Windows, Linux, and Mac • Supports Windows XP - Windows 10 • Uses plugins to carry out specific functions
Prefetch Files
Why Study Prefetch Files? Prefetch files are used across many versions of Windows and play a key role in demonstrating program execution Format varies a bit based on version of Windows What is Prefetching? Service performed by Windows that improves system performance by aiming at opening applications quicker Monitors 10 seconds after app is launched and records the activity in a file (called a prefetch file) Prefetching • Prefetch files stored in Windows\Prefetch directory • Disabled in some versions of Windows (server editions) • Settings controlled in the registry • Application prefetching enabled by default on XP, Vista, 7, 8, & 10 • Prefetch files have a .pf extension • C:\Windows\Prefetch Prefetching • Each prefetch file named by executable name, a hash to the location from which the executable was launched, and an extension of "pf" Prefetch Files - Valuable Info • First time the app was started - creation time of .pf file • Last time the app was started - embedded "Last Run time" (stored in UTC!) • In some cases, the last 8 times an app was started! • Number of times the app was started • Path to the application • Volume-related information • List of files and directories loaded or accessed by the application (within the first 10 seconds of execution) Benefits of Prefetch File Analysis • Can show what time malware was executed • Can also obtain files accessed by the malware • Can show that wiping program was executed • Can help identify "unusual" programs by looking at the embedded "Run Count" value • Least frequency of occurrence
Event Log
Windows Event Log Records information about system events that are being audited Individual records written to an event log that track a particular event that occurred Each record has timestamp associated with the event 100+ different event logs in Vista+ Windows Event Log Event log format and recording changed dramatically in Vista Stored in \Windows\System32\winevt\Logs on Vista+ systems We'll focus on Windows 7 event logs Windows Event Log: Types • Windows logs • Application and Services logs Reviewing Event Logs • Microsoft Event Viewer - built in event viewer • Event Log Explorer - third-party app that allows reviewing, searching, ad filtering event logs • Evtx Explorer - CLI to parse events logs, leverages event "maps" Event Logs: • Windows Logs + Applications and Services Logs • Can tell the story of a system • Great for timelines
Recycle Bin
Windows Recycle Bin Holding location for files deleted by a user Each user account has its own Recycle Bin Files can be restored or purged from the Recycle Bin What happens when a file is sent to the Recycle Bin? 1. File is moved to $Recycle.Bin directory and stored in subdirectory named by the user's SID 2. File is renamed to "$R", followed by six characters, then the original file extension (e.g. "$RSDEZCY.xlsx") 3. Index file named "$I" followed by the same six characters found in the "$R" file and the original file extension is created and stored in $Recycle.Bin\[SID] directory Recycle Bin $I Index File Stores size of the "deleted" file Stores original location where file was stored Stores time the file was sent to the Recycle Bin $I files hold deletion details • $R files hold actual file content
Dead Imaging
• Capturing an image while the suspect's operating system is not running • Involves pulling hard drive or using bootable operating system • Not always possible/practical
