Upload
alb3rtlin
View
219
Download
0
Embed Size (px)
Citation preview
7/23/2019 CNS 320 Week10 Final Review
1/94
1
CNS 320 COMPUTER FORENSICS &INCIDENT RESPONSE
Week 10 Final Review
Copyright 2012, John McCash. This work may be copied, modified, displayed anddistributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nc/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/7/23/2019 CNS 320 Week10 Final Review
2/94
Final Review
Remember, the final exam is worth 40%of your grade.
7/23/2019 CNS 320 Week10 Final Review
3/94
Imaging An image is a bit-for-bit copy of a piece of digital
evidence (disk, flash, RAM, DVD etc.) Forensic images can be stored and accessed in a variety
of standard formats such as Raw, E01, or AFF Images are typically validated as unchanged by use of
one or more of a number ofcryptographic hashalgorithms (md5, sha1, sha256) Of these three commonly hashing algorithms, only
sha256 has no known collision attacks against it On dead systems, disk imaging should be performed via
a hardware write-blocker to ensure that original
evidence is unchanged On live systems, it is almost certain that the image
hash for a disk in use or system memory will notmatch
Exact methodologies will vary from organization toorganization
7/23/2019 CNS 320 Week10 Final Review
4/94
Physical vs. Logical Imaging
Physical Image Full image of completephysical disk device content
Logical Image Image of a logical
volume, as mounted on a live system. Portion of a physical device
RAID spread across several different physicaldevices
Mounted encrypted volume
Mounted network volume
7/23/2019 CNS 320 Week10 Final Review
5/94
MBR Partitioning Most Windows partitions are MBR
Master Boot Record lives in first 512-byte sector ondisk & contains: Boot record 4 Primary Partition Table Entries (not all need be valid) Signature Value (0xAA55)
Partition Table Entry Contains: Starting CHS address Ending CHS address Starting LBA address Number of sectors in partition Type of partition Flags
Primary Partition may be an Extended Partition, whichreferences a linked list of Secondary Extended PartitionTables
First partition usually starts 63 sectors after partitiontable due to legacy cylinder boundary requirement
7/23/2019 CNS 320 Week10 Final Review
6/94
File Systems
A filesystem is a method of mapping filedata and metadata onto a storage volumein such a way that it can be stored andretrieved efficiently
Filesystem Data Categories:
File System Data pertaining to the filesystem as awhole
Content Data contained within the bodies of files
Metadata Data about files File Name Human interface reference for a file
identifier
Application Data implementing special filesystem
features such as journaling or quotas
7/23/2019 CNS 320 Week10 Final Review
7/94
Data Storage: Big-Endian vs. Little-Endian
Big-Endian: Most significant byte storedfirst (lowest address) Used bymainframes & UNIX systems
Little-Endian: Least significant bytestored first Used by PCs
Value: 258
Hex: 0102 (2*16^0+0*16^1++1*16^2) Big-Endian: 01 02
Little-Endian: 02 01
Mnemonic: LLL Little Least Left
7/23/2019 CNS 320 Week10 Final Review
8/94
Slack Space
RAM Slack Space in the last sector of a fileafter the end of the file. Back in old versions ofWin95 and previous, this got randomlypopulated with data from memory. Since then it
is nulled out when a file is written. File Slack any remaining sectors in the last
cluster of a file following the RAM Slack. Theseare not overwritten when the file is written, andwill still contain any previous content. (Usage of
this term sometimes includes RAM Slack.) Collectively, File Slack is the space between the
logical and physical end of file
Physical EOF is end of allocated clusters
Logical EOF is end of file data
7/23/2019 CNS 320 Week10 Final Review
9/94
NTFS
Everything in NTFS is a File, including theMFT
MFT Structure (every file has an MFT entry) File Attributes, particularly:
Standard Information Attribute (containsprimary file timestamps) Filename Attribute (there may be two of these,
and each contains redundant timestamps) Data Attribute (for resident files [< a few hundred
bytes], data is contained within the MFT entry itself)
Data attributes after the first are referred to asAlternate Data Streams
Index_Allocation Attributes (for directories) B-Tree Contains complete File_Name Attributes,
including redundant timestamps
Attribute Structure
Note the various redundant timestamps
7/23/2019 CNS 320 Week10 Final Review
10/94
NTFS MFT
10
NTFS Data Structure - Master File Table(MFT)
Heart of NTFS. Has an entry for every file
and directory, including itself. MFT entries are 1024 bytes in length, &
start with FILE (typically) or BAAD.
A single file can require multiple MTF entries
to store all its attributes. But this is rare
Its sometimes possible to find completeMFT entries in unallocated space thatreference file data also in unallocated
7/23/2019 CNS 320 Week10 Final Review
11/94
NTFS File Attributes of Particular Note
Standard Information Attribute (contains primaryfile timestamps)
Filename Attribute (there may be two of these,and each contains redundant timestamps)
Data Attribute (for resident files, data is containedin the MFT entry itself) Data attributes after the first are referred to as Alternate
Data Streams (ADS)
ADS can be used by attackers or malware to hide data
Index_Root_Attribute (directories - resident)
Index_Allocation Attribute (directories -nonresident) B-Tree Contains complete File_Name Attributes, including
redundant timestamps Entries also contain a reference to MFT record number
7/23/2019 CNS 320 Week10 Final Review
12/94
NTFS MFT Entry Timestamps
NTFS MFT entries have two (sometimes three)attributes that contain timestamps: $STANDARD_INFORMATION
The only one normally seen
$FILE_NAME (SHORT & POSSIBLY LONG) Redundant and difficult to change
Four file system timestamps (MACB times) arecontained in each entry
2 Last [M]odified time
4 Last [A]ccessed time
3 MFT entry modified ([C]hanged) time
1 creation ([B]orn) time
12
7/23/2019 CNS 320 Week10 Final Review
13/94
NTFS directory entries also have
timestamps & file sizes
The INDX structure of an NTFS directorystores a complete copy of (both) thereferenced files filename attributes
This includes all timestamps and file sizes. When a file is deleted, this entry is unlinked
from the INDX structures btree, but is notwiped unless overwritten during ensuing btreerebalancing
If you find a filename in unallocated space, orin the INDX structure of a folder which nolonger contains a file of that name, it helps toknow what youre looking at
7/23/2019 CNS 320 Week10 Final Review
14/94
Recognizing NTFS Timestamps Individual NTFS timestamps are 8-byte little-endian
quantities showing the number of 100ns units since Jan1st , 1601.
If you see four plausible NTFS datestamps in a row,followed after 26 more bytes by a unicode filename,
youre probably looking at a filename attribute. If its surrounded by a bunch of other similar data for
other filenames, without much interspersed, its probablya directory. Look back a few hundred bytes and see iftheres an INDX header.
Alternatively, if there is a significant amount ofinterspersed data, and the only other filename attributeclose by is a long or short filename attribute for the samefile, you might be looking at an MFT entry. Look back afew hundred bytes and see if you see a FILE header.
7/23/2019 CNS 320 Week10 Final Review
15/94
Detecting timestamp manipulation
Compare standard information attributetimestamps with filename timestamps
Compare with other timestamps for the
same file recovered from directory entries orunallocated space
Utilities which set timestamps typically willset to either a particular time rounded to the
nearest second, or will copy standard infoattribute times for some other file
Look for times exact to the second
Look for times exactly matching other files
Look for log references to the suspicious file15
7/23/2019 CNS 320 Week10 Final Review
16/94
Forensic Soundness
A forensically sound process is one thatensures data remains complete andmaterially unaltered (if portions are lost
or altered, that fact must be readilyapparent) while it is acquired, retained,and transported, so that it is admissiblein a legal proceeding.
On the final, I could describe a processand ask whether its forensically sound
16
7/23/2019 CNS 320 Week10 Final Review
17/94
Volatile Data Elements
Network Connections
Open Ports & Sockets
Running Processes (may be hidden) Terminated Processes
Loaded DLLs
Open Files Kernel Modules
User Logged On
Data from Memory
7/23/2019 CNS 320 Week10 Final Review
18/94
Fuzzy Hashing
Method of measuring similaritybetween different files Ssdeep is the most commonly used
fuzzy hashing utility. Most effective on files containing large
amounts of text, less so with purelybinary data, but YMMV.
Fuzzy hashing is also referred toas context triggered piecewisehashing (CTPH)
7/23/2019 CNS 320 Week10 Final Review
19/94
Unallocated Space: typical usage of the
term
Can be within any record structure forexample:
Disk
Volume Filesystem
Database File
Registry Hive
Directory
Physical Memory (Heap)
Any location which does not currently
hold referenced data
7/23/2019 CNS 320 Week10 Final Review
20/94
WinNT/2K/XP/2K3 Recycle Bin
Subfolder under RECYCLER named withusers SID
When a file goes into the trash, its moved to aunique name under this folder such asD__
Also under this subfolder will be a hidden binaryfile named INFO2 containing records which
document current name, original full path, &deletion time for each file in the recycle bin
When the recycle bin is emptied, all these filesare deleted
7/23/2019 CNS 320 Week10 Final Review
21/94
WinVista/7 Recycle Bin
User SID folder created under$Recycle.bin
Each deleted file now gets moved to
$R###### under the new SID folder $I###### with the same number in that
folder contains the original path anddeletion time for that file (equivalent to
INFO2, but for individual files)
7/23/2019 CNS 320 Week10 Final Review
22/94
The Windows Registry
Essentially a specialized Filesystemused for configuration data
Stored in multiple files (hives)
System Hives (%Windir%\System32\Config) SAM (Security Account Manager)
Security
System
Software Default
User Hives
Ntuser.dat
UsrClass.dat (added with Win7 or IE8)
7/23/2019 CNS 320 Week10 Final Review
23/94
Hive files are locked while the OS runs
You can extract them from livesystems with forensic tools such asFTK Imager
Some, such as SAM and Security,may require privileged access toacquire from a live system
As usual, however, physical accesstrumps all. Theyre easily retrievedfrom an offline system
7/23/2019 CNS 320 Week10 Final Review
24/94
Registry Structure
If you find unallocated search hits withstrings such as regf, hbin, nk, lf,
lh, ri, li, & vk nearby, youre
likely looking at an old deleted registryfile.
nk entries are registry keys, andcontain Windows FILETIME last
updated timestamps vk entries are registry values. No
timestamps, but frequently occurshortly after their parent keys
7/23/2019 CNS 320 Week10 Final Review
25/94
MRUlist Most Recently Used
Registry key that appears many times indifferent places in the registry, mostly in thentuser.dat hive
Values under this key include a variablenumber of values containing last accessedvalues of some type, and a MRUlist valuewhich indicates the order in which these
values were accessed First entry in MRUList is most recent.
The last write time of the key is the date atwhich the most recent of these was accessed
7/23/2019 CNS 320 Week10 Final Review
26/94
UserAssist
HKU\*\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist
Application names ROT-13 encoded
Run count (starts at 6) Last run time (Windows FILETIME)
ROT-13 substitutes alphabetic characterswith the character 13 further along in thealphabet (circular). So doing it a 2nd timereturns the string to its original value.Numeric & punctuation data are
unaffected 26
7/23/2019 CNS 320 Week10 Final Review
27/94
SAM Registry Hive Contents
User Name Security Identifier (SID) User Login Information
Last Login Last Failed Login Login Count Password Policy
Group Information (List of groups and
members) Administrators Users Remote Desktop Users
7/23/2019 CNS 320 Week10 Final Review
28/94
CurrentControlSet
There may be several sets of keysunder System
ControlSet001
ControlSet002\
Etc.
Number of the most up-to-date one
will be shown inSYSTEM\Select\Current
7/23/2019 CNS 320 Week10 Final Review
29/94
Time Zone
SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Some Forensic Tools (EnCase) will show all
file times as the zone set on the workstationtheyre run on
This can be confusing, because many log fileswill be in either GMT or in local time for thesubject system
You can wind up with times from the samesystem in three different zones. This is apain.
7/23/2019 CNS 320 Week10 Final Review
30/94
Enable/Disable Last Access Time
SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate
0x1 = Access Timestamps Turned Off(default on Win7)
0x0 (or value doesnt exist, as on Win2K)= Access Timestamps Turned On
7/23/2019 CNS 320 Week10 Final Review
31/94
Process Path Verification
7/23/2019 CNS 320 Week10 Final Review
32/94
Windows Event Logs NT/2K/XP/2K3
.evt files %systemroot%\System32\config SecEvent.evt, Appevent.evt, Sysevent.evt, sometimes others File Header/Magic Number in bytes 4-8 LfLe Header in 2nd4 bytes of each record LfLe (same as file header) 2 timestamps per record (generated & recorded) UNIX Epoch
time format
Vista/7/2K8 .evtx files %systemroot%\System32\winevt\logs SecEvent.evtx, Appevent.evtx, Sysevent.evtx, many others Header in 1st 4 bytes: 0x2a, 0x2a, 0x00, 0x00 (two asterisks
followed by two null bytes) Logs can be sent to a remote log collector Binary XML format
File locations can be changed in the registry UNIX Epoch time = #seconds since 00:00 Jan 1st, 1970 GMT
7/23/2019 CNS 320 Week10 Final Review
33/94
Example Scenario: Domain user logs in to
workstation and maps network file share
Domain user (Kerberos authentication, Win2K3server environment) logs in to workstation andmaps a network file share to a file server
Events Logged: Workstation
528 successful logon
Domain Controller 672 authentication ticket granted 673 service ticket granted (workstation) 673 service ticket granted (domain controller)
540 - Successful Network Logon 538 User Logoff 673 service ticket granted (file server)
File Server 540 - Successful Network Logon 538 User Logoff
7/23/2019 CNS 320 Week10 Final Review
34/94
Office Default Metadata Values
Title Subject Author Keywords Comments Template Last author Revision number Application name Last print date
Creation date Last save time Total editing time Number of pages Number of words Number of characters
Security Category Format Manager Company Number of bytes Number of lines Number of paragraphs Number of slides Number of notes
Number of hidden Slides Number of multimedia
clips Hyperlink base Number of characters
(with spaces)
7/23/2019 CNS 320 Week10 Final Review
35/94
Manual Examination of New (XML)
Office Files (docx, xlsx, pptx)
Unzip the file (all the 2007+ Office filesare actually zip archives of a file tree)
Result will be a folder
Examine the file docProps\app.xml underthat extracted folder
Metadata values will be encoded in XML
7/23/2019 CNS 320 Week10 Final Review
36/94
PDF Metadata
Typical XMP PDF Metadata Tags Author Copyright CreationDate Creator (application name) Keywords Marked (boolean value) ModDate PDFVersion Producer (application name) Subject Title Trapped
The official XMP specification defines only Keywords,PDFVersion, Producer and Trapped. The other tags areincluded because they have been observed in PDF files
7/23/2019 CNS 320 Week10 Final Review
37/94
Metadata in JPG Images
Newer digital cameras & phones oftengeotag images with GPS coordinates
Can also potentially identify thespecific camera that took a picture
Lots of data about specific camerasettings at the time the picture wastaken
Can sometimes identify photo editingsoftware used to alter the image
Some images carry an internalthumbnail which can be extracted
7/23/2019 CNS 320 Week10 Final Review
38/94
Typical Metadata in a Portable
Executable File (exe/sys/dll)
Machine Type Time Stamp (compiled) PE Type Linker Version Code Size
Initialized Data Size Uninitialized Data Size Entry Point OS Version Image Version Subsystem Version
Subsystem (GUI/DOS/Native) File Version Number Product Version Number File Flags Mask
File Flags File OS Object File Type (app/dll) File Subtype Language Code
Character Set Company Name File Description File Version Internal Name Legal Copyright
Original Filename Product Name Product Version Product Date
7/23/2019 CNS 320 Week10 Final Review
39/94
Pre-Vista: Thumbs.db
Populated in any folder which has been at onetime set to show thumbnails of includedimages & documents
Hidden file, not viewed by most users and not
cleaned out when files are removed from thefolder
Uses OLE compound document format (similarto Office 2K3 and previous) to store:
thumbnail picture of original image or first page ofdocument
last modification time
original filename
7/23/2019 CNS 320 Week10 Final Review
40/94
Vista+: Thumbcache
Single, centrally stored file for each user Thumbcache_32.db (small) Thumbcache_96.db (medium) Thumbcache_256.db (large) Thumbcache_1024.db (extra large)
Thumbcache_idx.db Thumbcache_sr.db
Located in\AppData\Local\Microsoft\Windows\Explorer
All created when a folder is switched to thumbnailmode or views pictures in a slideshow
Even stores thumbnails for pictures/docs/media onremovable media, network shares, or encryptedcontainers
Numbered files store actual images, linking to files isdone by idx file.
Purpose of sr file not yet determined
7/23/2019 CNS 320 Week10 Final Review
41/94
Email Forensics
In Transit: Simple Mail TransportProtocol (SMTP)
Remember that all headers added by
systems before the earliest system youcontrol could possibly have been spoofed
At Rest (various storage formats)
PST/OST (Outlook)
DBX (Outlook Express)
EML/FOL (Windows Mail)
MSF/no ext (Thunderbird)
MBX/TOC (Eudora)
7/23/2019 CNS 320 Week10 Final Review
42/94
Useful SMTP Headers
Received One added by each SMTP server in the
forwarding chain
Message-ID Added by originating SMTP server Unique_identifier@originating_server
X-Originating-IP Optional, added by originating MTA Should match earliest Received header
X-Mailer Optional Added by creating email client
7/23/2019 CNS 320 Week10 Final Review
43/94
Attachments
SMTP only allows text
Enter Multimedia Internet MailExtensions (MIME)
Message Segmentation
Base64 encoded attachments in theirown segments
7/23/2019 CNS 320 Week10 Final Review
44/94
Spoliation
The destruction or significant alteration ofevidence, or the failure to preserve propertyfor anothers use as evidence in pending orreasonably foreseeable litigation
A party claiming Spoliation must demonstrate: The party having control of the evidence had
an obligation to preserve it at the time it wasdestroyed
The evidence was destroyed with a culpablestate of mind The destroyed evidence was relevant to the
partys claim or defense such that reasonabletrier of fact could find that it would support
that claim or defense
7/23/2019 CNS 320 Week10 Final Review
45/94
Six Phases of the Standard IR Model
1. Preparation (Important)
2. Identification
3. Containment4. Eradication
5. Recovery
6. Follow-Up and Lessons Learned(Even More Important)
7/23/2019 CNS 320 Week10 Final Review
46/94
Link/Shortcut Files (.LNK)
Whenever a file (local or remote) isopened using Explorer, a shortcutfile is created:
\Recent (XP) \AppData\Roaming\Microsoft\
Windows\Recent (Vista/7)
\AppData\Roaming\Microsoft\
Office\Recent (Vista/7) Note: In Win7, the link may get
created inside a jumplist file
7/23/2019 CNS 320 Week10 Final Review
47/94
Shortcut file contents
Begins with magic value 4C 00 00 00 (L NULL NULL NULL)
Four byte file length at offset 34h (easy to carve)
Timestamps from original file when shortcut last accessed
Size from original file when shortcut last accessed
Volume Info: Name, Type (HD, Removable, Remote, CD),Serial#
Network Share Name, if any
Long & short filename
Original File Path
FileLocation (ObjectID [contains MAC address]+ VolumeID) Two different ones if file has been moved between 2 NTFS
volumes
These files are really short, and so are typically resident intheir MFT entry.
7/23/2019 CNS 320 Week10 Final Review
48/94
Prefetch/Superfetch Files (.pf)
Used to increase performance bypreloading code pages for commonlyused applications
Referred to as superfetch in Vista/Win7 Found in %Windir%\Prefetch
-.pf
Prefetch not cleaned out when exe isremoved
Up to 128 of them can exist at a time
7/23/2019 CNS 320 Week10 Final Review
49/94
Data in .pf file
File Signature (beginning of file) XP \x11\x00\x00\x00\x53\x43\x43\x41 (.SCCA)
Vista/7 \x17\x00\x00\x00\x53\x43\x43\x41 (.SCCA)
Contains paths of all files & folders accessed by
the program in the first 10 seconds Create time indicates when executable was first
run
Mod date & internal FILETIME indicate last time
Run Count Volume path & serial # for all files referenced
Prefetch\Layout.ini contains path information
File Size: 4-byte quantity at offset 0x000c
7/23/2019 CNS 320 Week10 Final Review
50/94
Restore Points
Restore Points (XP) created by default every 24 hoursso user can restore his system to a previous state ifsomething goes wrong (boot to last known goodstate), kept 90 days by default
Contain copies of all system files & registry entries
changed since last restore point Found in C:\System Volume
Information\_restore{GUID}\RP###\
Change.log (binary) file maps generic restore pointfilenames back to their original paths
Rp.log last 8 bytes are Windows FILETIME for restorepoint creation date
Snapshot subfolder contains copies of changed registrykeys for all hives (only accessible by System on a livehost)
7/23/2019 CNS 320 Week10 Final Review
51/94
Volume Shadow copy Service (VSS)
Vista/7 version of Restore Points, but muchmore pervasive
Tracks all (aggregate) changes made to thefilesystem since last Shadow Copy
Literally allows entire filesystem or individualfiles or folders to be rolled back to a previousstate
Offline filesystem can be mounted as it existedat a previous date
Only takes a snapshot periodically (Win7:weekly), not continually. Enabled by default.
Typically limited to 15% of volume size
7/23/2019 CNS 320 Week10 Final Review
52/94
ShellBags: Another Great Registry Artifact
Windows explorer tracks in the registry whenyouve opened some folder and changed theway it appears on the desktop so it can be thesame next time you open it
Never cleaned up
Binary format
Registry keys include timestamp, so you can
tell a date when specified folder was accessed. Tracks external shares & removable media, so
you have a record of the folder structures onthem
7/23/2019 CNS 320 Week10 Final Review
53/94
ShellBags: Another Great Registry Artifact
Location (XP) NTUSER.DAT Hive HKU\*\Software\Microsoft\Shell\Bags HKU\*\Software\Microsoft\Shell\BagMRU HKU\*\Software\Microsoft\ShellNoRoam\Bags HKU\*\Software\Microsoft\ShellNoRoam\BagMRU
HKU\*\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU HKU\*\Software\Microsoft\Windows\CurrentVersion\Explor
er\RecentDocs
Location (Vista/7) USRCLASS.DAT Hive HKU\*\Software\Classes\Local
Settings\Software\Microsoft\Windows\Shell\Bags HKU\*\Software\Classes\Local
Settings\Software\Microsoft\Windows\Shell\BagMRU HKU\*\Software\Classes\Wow6432Node\Local
Settings\Software\Microsoft\Windows\Shell\Bags HKU\*\Software\Classes\Wow6432Node\Local
Settings\Software\Microsoft\Windows\Shell\BagMRU
7/23/2019 CNS 320 Week10 Final Review
54/94
Windows 7 Jump Lists
Custom Destinations \AppData\Roaming\Microsoft\Windows\R
ecent\CustomDestinations\.customDestinations-ms
File contains embedded .LNK files which can be
carved out, (LNK header is\x4c\x00\x00\x00\x01\x14\x02, file size is 4 bytesat offset 34h) and analyzed
Automatic Destinations \AppData\Roaming\Microsoft\Windows\R
ecent\AutomaticDestinations\.automaticDestinations-ms
Contained data is stored using Structured StorageFormat, and can be parsed using MiTeCs StructuredStorage Viewer, from which .LNK files can beexported directly
7/23/2019 CNS 320 Week10 Final Review
55/94
Windows 7 Jump Lists
Replaced the old Quick Launch toolbar from XP Allows user to pin a program to the taskbar for
similar functionality
Actual implementation substantially more
complicated, similar to & used like the old MyRecent Documents shortcuts. Recent Items in the Win7 start menu goes to a folder
that contains both shortcuts and Jump Lists
Another way to note opening or creation of files,or to identify previous existence of deleted orwiped files
Records file access for specific applications
Lists can contain up to several hundred items,
though only a few are shown
7/23/2019 CNS 320 Week10 Final Review
56/94
USB Device & Activity Information
Vendor
Model
Version
Capacity
Serial Number(most, but not all)
Last Drive Letter
Volume Name(filesystem)
Volume SerialNumber (filesystem)
First Use
First Use Since LastReboot
Last Use
Other usage
timestamps may bein restore points
7/23/2019 CNS 320 Week10 Final Review
57/94
USB Registry Keys & Values
HKLM\System\CurrentControlSet\Enum\USBSTOR Subkey named Disk&Ven_&Prod_&Rev_
Product name text may contain capacity and evencolor
Under this subkey is another named with thedevices unique serial number if any
If the device has no serial number (non-standardconformant), Windows will create one with an & asthe second character.
Under the serial number key is a value namedParentIdPrefix (Vista/7 only, used to link to otherdata)
7/23/2019 CNS 320 Week10 Final Review
58/94
When was USB device first connected?
Plug and Play Log Files
XP - %windir%\setupapi.log
Vista/7 -
%windir%\inf\setupapi.dev.log
Times in log are in the localtimezone for the host
Look for first entry for device serialnumber
7/23/2019 CNS 320 Week10 Final Review
59/94
Artifact Locations for IE (XP)
Bookmarks/Favorites
\Favorites
History (Hidden)
\Local Settings\History\History.IE5
Cache (Hidden)
\Local Settings\Temporary InternetFiles\ Content.IE5
Cookies
\Cookies
Downloads
< rofile>\Downloads59
7/23/2019 CNS 320 Week10 Final Review
60/94
Artifact Locations for IE (Vista/Win7)
Bookmarks/Favorites \Favorites
Cookies: \AppData\Roaming\Microsoft\Windows\Cookies \AppData\Roaming\Microsoft\Windows\Cookies\Low
History: (Hidden) \AppData\Local\Microsoft\Windows\History\History.
IE5 \AppData\Local\Microsoft\Windows\History\Low\His
tory.IE5
Cache: (Hidden)
\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5
\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\Low
Downloads \Downloads
7/23/2019 CNS 320 Week10 Final Review
61/94
A word about profile locations
Not always in C:\Documents and Settings Registry configurable default profile locations. Check
the following values
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList\ Default
Public
ProfilesDirectory
Builtin account profiles under %Windir% subfolders System: Windows\System32\Config (default=ntuser.dat)
System acct web artifacts = evidence of compromise
7/23/2019 CNS 320 Week10 Final Review
62/94
Index.dat Files
Binary format unchanged since IE 4 Different files use same name & format, but store
different data
Index.dat files exist in multiple places for tracking of:
History
Cookies
Cache Data
Difficult to remove because always locked, but IEsettings can clear entries
File Signature: Client UrlCache MMF Ver 5.2
Four byte file size starting at byte 2862
7/23/2019 CNS 320 Week10 Final Review
63/94
Index.dat Record Types
Four types of record are known (the nameof each is also its record signature)
URL - Indicate URIs that were actuallyrequested
REDR- Indicate browser was redirected toanother site
HASH - Hash indexes of the contents of the
index.dat file (not useful) LEAK Result of attempt to delete entry while
associated cache file is open (othermechanisms possible)
63
7/23/2019 CNS 320 Week10 Final Review
64/94
IE History
Designed for URL autocompletion
Tracks all user browsing history for last20 days by default
If browsing history set to 0 days, stillkept, but deleted on system shutdownor next day
Also tracks Explorer access to localfiles
For each URL or file, tracks last accesstimestamp & number of times accessed
7/23/2019 CNS 320 Week10 Final Review
65/94
Actual History Contents
Master index.dat file under History.IE5
Daily, Weekly, or (potentially) Monthlyindex.dat files under other folders
Folders are named according to the datespan covered by the contained file
After the 6th day, aggregate daily history
content is rolled up into a weekly file Actual files and folders cannot be seen
in Windows GUI on live system, but canfrom the command line using dir /a
7/23/2019 CNS 320 Week10 Final Review
66/94
Index.dat Record (URL History)
Offset Size Description
0 4 Signature/Magic Number(URL, REDR, HASH, LEAK)
4 4 # of 128 byte Blocks inrecord
8 8 LastModified FILETIME (URL)
16 8 LastAccessed FILETIME (URL)
66
7/23/2019 CNS 320 Week10 Final Review
67/94
IE Cache
Exists to speed up access by using previouslyobtained local copies of content which has notaltered since accessed
Not all entries are supposed to be cached
(SSL, no-store), but IE6 used to cache a lot ofcontent it shouldnt have
Also, the RFCs never formally stated SSLshould not be cached
Can include references to entries that havebeen removed in the meantime
Cleared entries are wiped more effectively byIE7 and later
7/23/2019 CNS 320 Week10 Final Review
68/94
A word about cache usage
Some RFCs & Microsoft specifications clearly definewhat is supposed to be cached RFC2616 (HTTP 1.1): cache-response-directive = no-
store
RFC1945 (HTTP 1.0): entries past expiration date not
cached (less clear) MS: INTERNET_FLAG_DONT_CACHE, or
INTERNET_FLAG_NO_CACHE_WRITE
Developers sometimes misinterpret the meaning of thespecifications
For instance, no-cache (http 1.1) and Pragma: no-cache (http 1.0) dont mean do not cache. Bothmean send request for content even if cached
Older browser versions were very bad at properlyinterpreting and enforcing these specifications becauseof this
7/23/2019 CNS 320 Week10 Final Review
69/94
Cache Artifacts
Index.dat file under Content.IE5 Semirandomly named subfolders
contain files with cached content
Contain entries for cacheable URLsvisited, each of which references a filethat may or may not still exist
Original filename with bracketed
instance number before .ext Folders added in groups of four (if
not, investigate why, could be datahiding location)
FYI Oth T I t t F ld
7/23/2019 CNS 320 Week10 Final Review
70/94
FYI: Other Temporary Internet Folders
Subfolders (Not thoroughly researched)
AntiPhishing
Content.MSO Not sure Local copyfrom external document linking in
Office? Content.Outlook Attachment files
opened directly in Outlook
Content.Word Tempfiles created whenWord used as editor for Outlook
OLK5432 Unknown
Others?
7/23/2019 CNS 320 Week10 Final Review
71/94
Index.dat Record (Cache URL)
Offset Size Description
0 4 Signature/Magic Number(URL, REDR, HASH, LEAK)
4 4 # of 128 byte Blocks inrecord
8 8 LastModified FILETIME (URL)
16 8 LastAccessed FILETIME (URL) 24 4 Expiration FATTIME
92 4 Last Checked FATTIME
71
7/23/2019 CNS 320 Week10 Final Review
72/94
FATTIME
offset size value description
0 2 date
2 2 time
In little-endian the 16-bit date value corresponds to:
offset size value description
Bit 0 (LSB) 5 bits Day of the month
Bit 5 4 bits Month 0x01 => January
Bit 9 7 bits Year 0x00 => 1980
In little-endian the 16-bit time value corresponds to:offset size value description
Bit 0 (LSB) 5 bits Seconds in 2 second intervals
Bit 5 6 bits Minutes
Bit 11 5 bits Hours
7/23/2019 CNS 320 Week10 Final Review
73/94
IE Cookies
Cookies exist to add state information toweb browser sessions
Not all sites use them
Small text files (persistent cookies)
Session cookies in memory only
Included data:
Issuing website
Account on that site NTFS FILETIMEs
Website specific data in cookie
Some cookie data is encrypted & some is not
7/23/2019 CNS 320 Week10 Final Review
74/94
Index.dat Record (Cookie URL)
Offset Size Description
0 4 Signature/Magic Number(URL, REDR, HASH, LEAK)
4 4 # of 128 byte Blocks inrecord
8 8 LastModified FILETIME (URL)(last changed by server)
16 8 LastAccessed FILETIME (URL)(last uploaded)
24 4 Expiration FATTIME
84 4 Hits (times uploaded)
92 4 Last Checked FATTIME 74
Sample Google Analytics Tracking Cookie
7/23/2019 CNS 320 Week10 Final Review
75/94
Sample Google Analytics Tracking Cookie
__utma (Timestamps in UNIX Epoch Time)
Contents similar toXXXX.RRRR.FFFF.PPPP.CCCC.N
XXXX Hash of clients domain
RRRR Random unique ID for client(this is what makes it a tracking cookie)
FFFF Date of first visit to site (probablyfollowing the last clear of cookies)
PPPP Timestamp of previous (last) visit CCCC Current timestamp
N Number of sessions since first visit(Incremented each time new session started
after first)
7/23/2019 CNS 320 Week10 Final Review
76/94
IE Downloads
Often saved to default locations XP default download folder defined by
registry valueHKCU\Software\Microsoft\Internet
Explorer\Download Directory Defaults to the users desktop
Vista/Win7 uses \Downloads\ asdefault
If file opened rather than saved, tempcopy created in IE cache folder, nevercleaned unless manually
IE9 has separate index.dat for downloads
7/23/2019 CNS 320 Week10 Final Review
77/94
IE Auto-Complete (other than history)
Typed URLs registry key maintains list oflast 25 URLs typed by the user
HKU\*\Software\Microsoft\InternetExplorer\Ty
pedURLs
7/23/2019 CNS 320 Week10 Final Review
78/94
IE Auto-Complete (other than history)
Protected Storage (IE4-6; Also used byOutlook Express & MSN Explorer) Form Autofill Field Data
Accounts & Passwords (Web, FTP,
Others)[checkbox] Encrypted on disk but not in memory. Trivial
to acquire from live system, & crackable froma dead one
(IE4-6) HKU\*\Software\Microsoft\ProtectedStorage System Provider\
(IE7+) HKU\*\Software\Microsoft\InternetExplorer\IntelliForms\Storage2 Encrypted But key is name of website
7/23/2019 CNS 320 Week10 Final Review
79/94
Changes in Vista/Win7
As mentioned previously, file locationshave changed
Protected Mode web browsing is
performed as an unprivileged user This is where the 2ndLow filename
comes from in the various file artifacts
There are two sets because not all
operations use Protected Mode
IE7-9 all support Protected Mode onVista/Win7
7/23/2019 CNS 320 Week10 Final Review
80/94
IE8/9 Automatic Crash Recovery
Complete activity tracking for current &previous session
Enabled by default (even in InPrivate Mode).Deleted (but often recoverable) when Historycleared
Information tracked: Tabs Open List of websites viewed in each tab, with referrers for
each Session end time Time each tab was opened (Only if a crash occurred
or if for some other reason files are still present inthe Active folder)
Code from the page Form data & Other artifacts
7/23/2019 CNS 320 Week10 Final Review
81/94
IE8/9 Crash Recovery Folders
XP (IE8 Only) \Local Settings\Application
Data\Microsoft\Internet Explorer\Recovery\Active \Local Settings\Application
Data\Microsoft\Internet Explorer\Recovery\LastActive
Vista/Win7 Current: \AppData\Local\Microsoft\Internet
Explorer\Recovery\Active Previous:
\AppData\Local\Microsoft\Internet
Explorer\Recovery\Last Active Files have .dat extension & are stored in
Structured Storage Format Like Jump Lists, can be examined using MiTeC
Structured Storage Viewer
7/23/2019 CNS 320 Week10 Final Review
82/94
IE8/9 Suggested Sites
Opt-in or out at install time Data located in
\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Low\SuggestedSites.dat
Tracks all sites visited to suggest similarones
Does not track local, HTTPS, or InPrivatebrowsing
Normally deleted when history is, butmay get out of sync. May not be handled
by 3rd party wiping utilities.
7/23/2019 CNS 320 Week10 Final Review
83/94
SuggestedSites.dat
Starts out 5M in size
Records Include in order:
URL of visited page (null terminated)
Title of visited page (null terminated)
URL of referring page (null terminated)
5 unknown bytes
Windows FILETIME when page visited
Could probably write a simple perl or python
script to parse
Unknown binary format, so view with a hex editor
Didnt test this myself. All direct data fromInternet sources
7/23/2019 CNS 320 Week10 Final Review
84/94
IE8/9 InPrivate (Porn) Browsing Mode
So whats left?
Recover deleted cache files
Session Recovery files (& deleted
session recovery files) Incompletely cleaned remnants from
index.dat
Network traffic or proxy logs
Data from memory if you can get it
7/23/2019 CNS 320 Week10 Final Review
85/94
IE Browser Helper Objects
A Browser Helper Object(BHO) is a DLLmodule designed as aplugin forMicrosoft'sInternet Explorerweb browserto provide addedfunctionality. BHOs were introduced in October1997 with the release ofversion 4 of Internet
Explorer. Most BHOs are loaded once by eachnew instance of Internet Explorer. However, inthe case ofWindows Explorer, a new instance islaunched for each window.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser HelperObjects\
Details of BHO under HKLM\SOFTWARE\Classes\CLSID\
http://en.wikipedia.org/wiki/Library_%28computer_science%29http://en.wikipedia.org/wiki/Module_%28programming%29http://en.wikipedia.org/wiki/Plug-in_%28computing%29http://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/Internet_Explorerhttp://en.wikipedia.org/wiki/Web_browserhttp://en.wikipedia.org/wiki/Internet_Explorer_4http://en.wikipedia.org/wiki/Windows_Explorerhttp://en.wikipedia.org/wiki/Windows_Explorerhttp://en.wikipedia.org/wiki/Internet_Explorer_4http://en.wikipedia.org/wiki/Web_browserhttp://en.wikipedia.org/wiki/Internet_Explorerhttp://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/Plug-in_%28computing%29http://en.wikipedia.org/wiki/Module_%28programming%29http://en.wikipedia.org/wiki/Library_%28computer_science%297/23/2019 CNS 320 Week10 Final Review
86/94
Flash Cookies/Local Shared Objects
Potentially much larger that regular cookies Not cleared when they are.
.SOL file extension
Usually stored in folders under: Vista/Win7:
\AppData\Roaming\Macromedia\FlashPlayer
XP: \Application Data\Macromedia\FlashPlayer
Sometimes found in other locations
Until recent updates, no easy way to clear
7/23/2019 CNS 320 Week10 Final Review
87/94
Java Downloads
Another separate application, butpotentially runs downloaded code
Applets are used as normal web content,
but sandbox escape is easy on oldversions, which are disturbingly common
Cache folder:
XP: \ApplicationData\Sun\Java\Deployment\cache\6.0
Vista/Win7:\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6
7/23/2019 CNS 320 Week10 Final Review
88/94
Java Downloads
IDX files in this cache are Javaapplet cache indexes
Included data:
Filename
URL downloaded from
IP of source host
last modified date downloaded date
7/23/2019 CNS 320 Week10 Final Review
89/94
IE8/9 DOM Storage
HTML 5.0 equivalent to Flash Cookies
Located in XML files and Index.datunder:
XP: \Local Settings\ApplicationData\Microsoft\InternetExplorer\DOMStore
Vista/Win7:\AppData\Local\Microsoft\Internet Explorer\DOMStore
7/23/2019 CNS 320 Week10 Final Review
90/94
Basic Types of Searching
Regular: Actually searches in realtimeafter search terms are defined
Indexed: Preprocesses data to extract
indexes of all strings, then uses theseindexes to optimize searching.
Implementations vary & frequently producefalse negatives (Examples: Nuix, Dtsearch,
EnCase, FTK) Much faster than regular searches once index
is constructed
A very useful tool, but not something to
depend on
7/23/2019 CNS 320 Week10 Final Review
91/94
Composing Search Terms
Always search for unicode as well asASCII. This is used in many places byWindows.
You may also want to use case-insensitive mode
Use regular expression syntax to filter outfalse positives for short keywords, to
match values that cant be expressed innormal ASCII, or to match abstractpatterns such as credit card numbers,
SSNs, or IP addresses
7/23/2019 CNS 320 Week10 Final Review
92/94
Regular Expressions
Exact supported syntax varies from tool to tool, but in general,the following primitives should work: . - match any single character [] Defines a character class, a list of characters inside the
brackets which will match in this character position (may containinclusive ranges such as a-z)
[^] Defines a negated character class, a list of characters
after the carat which will not match in this character position (maycontain inclusive ranges such as a-z) * - 0 or more repeats of the element in the preceding
position + - 1 or more repeats of the element in the preceding
position ? 0 or 1 repeats of the element in the preceding position
{m,n} - minimum of m or maximum of n repeats of the elementin the preceding position () - grouping of elements | - alternation of preceding and following elements
(either/or) \ - escape of a literal metacharacter such as any of the
following []-^*+?(){}\ in contexts where they would otherwise be
interpreted as specified above
Important Things Extractable from
7/23/2019 CNS 320 Week10 Final Review
93/94
Important Things Extractable from
Memory
Registry Keys & Values
Password Hashes
Process List
Loaded DLL lists for each process
Open net connections & sockets
Cmd.exe history
7/23/2019 CNS 320 Week10 Final Review
94/94
Questions?