INCS712 Lecture 1
COMPUTER
FORENSICS
Course Outline
Reference Books
Instructor
1.
Brian Carrier, “File System Forensic Analysis,”
Addison-Wesley Professional; Edition 1, March 27,
2005.ISBN-10: 0321268172; ISBN-13: 978-03212681.
2.
Sherri Davidoff and Jonathan Ham, “Network
Forensics: Tracking Hackers through Cyberspace,”
Edition 1, Prentice Hall; June 18, 2012.
3.
Harlan Carvey, “Windows Forensic Analysis Toolkit:
Advanced Analysis Techniques for Windows 8”,
Edition 4, Syngress, ISBN-10:9780124171572
4.
Bill Nelson, Amelia Phillips, Christopher Steuart,
Guide to Computer Forensics and Investigations
Processing Digital Evidence.
JUSEOP LIM (jlim10@nyit.edu)
❑
Senior Digital Forensic Examiner
❑
Certified Forensic Examiner
❑
Certified eDiscovery Specialist
❑
Master of INCS (NYIT) 2018
❑
Master of Forensic Computing
(CUNY) 2008
❑
Prosecutor’s Office – Computer
Crime Lab (2008)
❑
Deloitte / Fronteo / DFIFORENSICS
Teaching Assistant
❑
Xuemin Zang(xzang01@nyit.edu)
Class Participation & Discussions
Projects and Assignments
Midterm Exam
Final Exam
10%
30%
30%
30%
2
“
▪ Don’t be late for classes or exams
▪ Required to attend at least 50% of class
▪ Plagiarism or Cheating is not acceptable
3
What is
Computer Forensics
4
Forensics
◉ Derived from Latin term ‘forensis’ which means a public
debate or discussion, forensics in the modern sense implies
courts of law
◉ Forensic science is the application of science and scientific
method to the judicial system.
◉ Forensic scientist will be analyzing and interpreting
evidence, and challenged in court while providing expert
witness testimony.
◉
Toxicology (study of alcohol and drugs) / Serology (study of blood and
other biological fluids) /Questioned document examination
(examination of documents, handwriting comparison, study of inks,
typewriter imprints, counterfeiting etc.) / Chemistry / Firearms
identification and ballistics (study of marks and striations on bullets) /
Hair and fibre analysis
5
Digital Forensics
◉ The application of computer science and investigative
procedures for a legal purpose involving the analysis of
digital evidence after proper search authority, chain of
custody, validation with mathematics, use of validated
tools, repeatability, reporting, and possible expert
presentation.
6
Digital Forensics
Digital Forensic
Incident Response
Computer Forensic
Mobile Forensic
Network Forensic
DB Forensic
Software Forensic
7
Digital Forensics
Enron Scandal (2001)
Unethical practices that the company use accounting limitations
to misrepresent earnings and modify the balance sheet to
indicate favorable performance
▪ Bankruptcy
▪ Shareholders lost $74 billion
▪ Sarbanes-Oxley Act
▪ Damage to Arthur Andersen
FBI Investigation launched
Processed 31 terabytes of data that included 2,300 pieces of
evidence, 600 employee emails, 130 computers, 10 million pages
of documents, more than 3,000 outlook email boxes and 4,500
lotus notes email boxes. It should be pointed out that a terabyte
is equivalent to 250 million pages of text.
8
Enron Investigation
Past adjusted
Earning Statement
File Recovery
Profit Margins
File fragments
Backup Systems
Pay
Inventory
Stock Option
Home PC / Cellphone
Hard drives
Financial Papers
Auditors
journal entries
Invest Holdings
Law firms
Bank Records
Mining for Evidence
Enron Scandal
9
What is Computer Forensics?
◉ Computer Forensics : Determining the past actions that
have taken place on a computer system using computer
forensic techniques.
◉ The collection, preservation, analysis and presentation of
computer-related evidence.
10
What is the Purpose of Computer Forensics?
◉ Computer Forensics retrieve information even if it has been
altered or erased to be used in the pursuit of an attacker or
a criminal.
◉ uses technologies to search for digital evidence of a crime.
11
Typical Investigations
◉ Trade Secret Leakage, Data Breach
◉ Employee Harassment (Power/Sexual)/Discrimination
◉ Fraud (Embezzlement / Kickback / Rebate)
◉ Criminal Cases (Child Pornography / Homicide / Drugs)
◉ Regulations / Compliance (Antitrust/FCPA / SOX / UK
Bribery / AML)
◉ Identity Theft
◉ eDiscovery
12
Media Devices with Potential Data
◉ Desktop and laptop computer
◉ iPads, iPods, etc.
◉ Smartphones and most other cell phones
◉ MP3 music players, CD-ROMs & DVDs
◉ Digital Cameras, Dash cam
◉ USB Memory Devices, Memory cards
◉ Backup Tapes
◉ Server and Network Devices
◉ Cloud and Social Media
13
Computer Forensic Capabilities
◉ Recover deleted files
◉ Identify what external devices were attached to and who
accessed them
◉ Determine what programs were running
◉ Recover webpages
◉ Recover emails and users who read them
◉ Recover chat logs
◉ Determine file servers used
◉ Discover document’s hidden history
◉ Recover phone records and SMS text messages from
mobile devices
◉ Find malware and data collected
◉ …………………….
14
Who uses Computer Forensics?
◉ Public sector - Law Enforcement
◉ Private sector - Computer Forensic Organizations
◉ Military
◉ Computer Security and IT Professionals
◉ Audit firms
15
Law Enforcement
◉ Local, State and Federal levels
◉ Detectives at local levels
◉ State or provincial police
◉ FBI’s Computer Analysis and Response Team (CART)
◉ Regional Computer Forensics Laboratories (RCFLs)
◉ RCMP / VPD
◉ Canada Revenue Agency
◉ British Columbia Securities Commission
◉ Canadian Security Intelligence Service
◉ Independent Investigations Office of BC
◉ Communications Security Establishment
16
Computer Forensic Organizations
◉ The Centre of Forensic Sciences
◉ Computer Forensics Associates
◉ Advanced Forensic Recovery of Electronic Data
◉ New York Computer Forensic Services
◉ DFI Forensics / e-Forensics /ReStoringData
◉ Deloitte / MT3 / Envista / MNP / Cytelligence
17
Military
◉ Test, identify, and gather evidence in the field
o Specialized training in imaging and identifying multiple
sources of electronic evidence
◉ Analyze the evidence for rapid intelligence gathering and
responding to security breach incidents
o Desktop and server forensic techniques
18
Cybersecurity related
◉ Forensics investigators often work as part of a team to
make computers and networks secure, known as the
investigation triad.
19
Cybersecurity related
◉ Vulnerability/threat assessment and risk management
o Tests and verifies the integrity of stand-alone
workstations and network servers
◉ Network intrusion detection and incident response
o Detects intruder attacks by using automated tools and
monitoring network firewall logs
◉ Digital investigations
o Manages investigations and conducts forensics analysis
of systems suspected of containing evidence
20
Developing Digital Forensics Resources
◉ To supplement your knowledge:
o Search the internet to find related organizations,
companies, and rules and regulations.
o Develop and maintain contact with computing,
network, and investigative professionals.
o Follow and/or join computer user groups in both the
public and private sectors.
◉ Example: Forensicfocus.com forum or
Digital Forensics discord channel or
Free webinar by industry leader
21
Crime and
Forensic Investigation
22
Crime and Computer Forensics
◉ Computers can contain information that helps law
enforcement determine
o Chain of events leading to a crime
o Evidence that can lead to a conviction
◉ Information might be protected or encrypted so forensics
tools may be necessary in your investigation
◉ Law enforcement should follow proper procedure when
acquiring evidence
o Digital evidence can be easily altered by an overeager
investigator
23
Taking a Systematic Approach
(Risk mitigation)
◉ Identify the risks
◉ Mitigate or minimize the risks
◉ Test the design
◉ Analyze and recover the digital evidence
◉ Investigate the data you recover
◉ Complete the case report
◉ Critique the case
24
Taking a Systematic Approach
(Typical procedure)
◉ Make an initial assessment about the type of case you are
investigating
◉ Determine a preliminary design or approach to the case
◉ Create a detailed checklist
◉ Determine the resources you need
◉ Obtain and copy an evidence drive
25
Assessing the Case
◉ Systematically outline the case details
o
o
o
o
o
o
Situation
Nature of the case
Specifics of the case
Type of evidence
Known disk format
Location of evidence
◉ Based on these details, you can determine the case
requirements
26
Planning Your Investigation
◉ A basic investigation plan should include the following
activities:
o Acquire the evidence
o Complete an evidence form and establish a chain of
custody
o Transport the evidence to a computer forensics lab
o Secure evidence in an approved secure container
o Prepare your forensics workstation
o Retrieve the evidence from the secure container
o Make a forensic copy of the evidence
o Return the evidence to the secure container
o Process the copied evidence with computer forensics
tools
27
Documenting Your Investigation
◉ An evidence custody form helps you document what has
been done with the original evidence and its forensics
copies
o Also called a chain-of-evidence form
◉ Two types
o Single-evidence form
▪ Lists each piece of evidence on a separate page
o Multi-evidence form
28
Documenting Your Investigation
29
Securing Your Evidence
◉ Use evidence bags to secure and catalog the evidence
◉ Use computer safe products when collecting computer
evidence
o Antistatic bags
o Antistatic pads
◉ Use well padded containers
◉ Use evidence tape to seal all openings
o CD drive bays
o Insertion slots for power supply electrical cords and
USB cables
30
Securing Your Evidence
◉ Write your initials on tape to prove that evidence has not
been tampered with
◉ Consider computer specific temperature and humidity
ranges
o Make sure you have a safe environment for
transporting and storing it until a secure evidence
container is available
31
PRACTICE
32
Understanding of Storages (1/4 )
◎ Type of Disk Drive
1. HDD (Hard Disk Drive)
a)
b)
c)
d)
IDE(PATA)
SATA
SCSI
SAS
SCSI drive
SAS drive
33
Understanding of Storages (2/4)
◎ Type of Disk Drive
2. SSD (Solid State Drive)
a) M.2(NVMe)
b) M.2(NGFF)
c) mSATA
M.2(NGFF)
M.2 (NVMe)
mSATA
34
Understanding of Storages (3/4)
◎ Type of Disk Drive
3. USB (Universal Serial Bus)
35
Understanding of Storages (4/4)
◎ Type of Disk Drive
4. RAID
36
Why do we need to understand the types of storage?
◎ Extraction of data from storage requires
o power supply and data cable connection
o proper interface
37
Why do we need to understand the types of storage?
◎ Extraction of data from storage requires
o power supply and data cable connection
o proper interface
38
Why do we need to understand the types of storage?
◎ Normally carry Gender or Adapter
39
Storage Information
◎ Information to be recorded
40
INCS712 Lecture2
COMPUTER
FORENSICS
Common types of Investigation
2
Internet Abuse Investigations
◉ Internet abuse case
o Improper use of the internet
▪ Cyber-crime
▪ Cyber-bullying
▪ Malware
◉ To conduct an investigation you need:
o
o
o
o
Organization’s Internet proxy server logs
Suspect computer’s IP address
Suspect computer’s disk drive
Your preferred computer forensics analysis tool
3
Internet Abuse Investigations
◉ Recommended steps:
o Use standard forensic analysis techniques and
procedures
o Use appropriate tools to extract all Web page URL
information
o Contact the network firewall administrator and request
a proxy server log
o Compare the data recovered from forensic analysis to
the proxy server log
o Continue analyzing the computer’s disk drive data
4
E-mail Abuse Investigations
◉ E-mail abuse
o Unsolicited sending of spam, third party
advertisements, derogatory language, slander, and
threats via email
◉ To conduct investigation, you need::
o An electronic copy of the offending e-mail that contains
message header data
o If available, e-mail server log records
o For e-mail systems that store users’ messages on a
central server, access to the server
o Access to the computer so that you can perform a
forensic analysis on it
o Your preferred computer forensics analysis tool
5
E-mail Abuse Investigations
◉ Recommended steps:
o Use the standard forensic analysis techniques
o Obtain an electronic copy of the suspect’s and victim’s
e-mail folder or data
o For Web-based e-mail investigations, use tools such as
FTK’s Internet Keyword Search option to extract all
related e-mail address information
o Examine header data of all messages of interest to the
investigation
6
Trade Secret Leakage Investigations
◉ All suspected industrial espionage cases should be treated
as criminal investigations
◉ Staff needed
o Computing investigator who is responsible for disk
forensic examinations
o Technology specialist who is knowledgeable of the
suspected compromised technical data
o Network specialist who can perform log analysis and
set up network sniffers
o Threat assessment specialist (typically an attorney)
7
Trade Secret Leakage Investigations
◉ Guidelines when initiating an investigation
o Determine whether this investigation involves a
possible industrial espionage incident
o Consult with corporate attorneys and upper
management
o Determine what information is needed to substantiate
the allegation
o Generate a list of keywords for disk forensics and sniffer
monitoring
o List and collect resources for the investigation
8
Trade Secret Leakage Investigations
◉ Guidelines (cont’d)
o Determine goal and scope of the investigation
o Initiate investigation after approval from management
◉ Planning considerations
Examine all e-mail of suspected employees
Search Internet newsgroups or message boards
Initiate physical surveillance
Examine facility physical access logs for sensitive areas
Determine suspect location in relation to the
vulnerable asset
o Study the suspect’s work habits
o Collect all incoming and outgoing phone logs
o
o
o
o
o
9
Trade Secret Leakage Investigations
◉ Steps to conducting an industrial espionage case
o Gather all personnel assigned to the investigation and
brief them on the plan
o Gather resources to conduct the investigation
o Place surveillance systems at key locations
o Discreetly gather any additional evidence
o Collect all log data from networks and e-mail servers
o Report regularly to management and corporate
attorneys
o Review the investigation’s scope with management and
corporate attorneys
10
Forensic Fundamental
11
Digital Forensics
◉ The scientific examination and analysis of digital evidence
in such a way that the information can be used as evidence
in a court of law.
◉ Includes:
o
o
o
o
o
Network
Mobile
DB
Computer
Code Analysis
12
Digital Forensic Activities
◉ Digital forensics activities commonly include:
o The secure collection of computer data
o The identification of suspect data
o The examination of suspect data to determine details
such as origin and content
o The presentation of computer-based information to
courts of law
13
The 3 As
◉ The basic methodology consists of the 3 As:
o Acquire the evidence without altering or damaging the
original
o Authenticate the image
o Analyze the data without modifying it
14
Crime Scenes
◉ Physical Crime Scenes vs. Cyber/Digital Crime Scenes
◉ Overlapping principles and fundamentals
◉ The basics of criminalistics are constant across both
physical and digital
◉ Locard’s Exchange Principle applies
o “When a person commits a crime something is always
left at the scene of the crime that was not present when
the person arrived”
15
Digital Crime Scene
◉ Digital Crime Scene
o The electronic environment where digital evidence can
potentially exist (Rogers, 2005)
o Primary & Secondary Digital Scene(s) as well
◉ Digital Evidence
o Digital data that establish that a crime has been
committed, can provide a link between a crime and its
victim, or can provide a link between a crime and the
perpetrator (Carrier & Spafford, 2003)
16
Forensic Principles
◉ Digital/ Electronic evidence is extremely volatile!
◉ Once the evidence is contaminated it cannot be decontaminated!
◉ The courts acceptance is based on the best evidence principle
o With computer data, printouts or other output readable by
sight, and bit stream copies adhere to this principle.
◉ Best Evidence Rule : a rule of evidence that requires an original
document, photograph, or other piece of evidence be introduced
to the court to prove the contents of that same item.
o ensure the court receives unaltered evidence that is legible,
or clearly perceivable in the case of video and audio
recordings.
◉ Chain of Custody is crucial
17
Digital Forensic Principles
◉ The 6 Principles are:
1. When dealing with digital evidence, all of the general forensic and
procedural principles must be applied.
2. Upon seizing digital evidence, actions taken should not change that
evidence.
3. When it is necessary for a person to access original digital evidence,
that person should be trained for the purpose.
4. All activity relating to the seizure, access, storage or transfer of
digital evidence must be fully documented, preserved and available
for review.
5. An Individual is responsible for all actions taken with respect to
digital evidence while the digital evidence is in their possession.
6. Any agency, which is responsible for seizing, accessing, storing or
transferring digital evidence is responsible for compliance with these
principles.
18
PRACTICE
19
Metadata
1. Metadata includes what?
2. File System meta vs Application meta
3. What changes metadata?
Practice (metadata extraction by Exiftool)
1. Make a MS word file and type some words.
2. Save and quit.
3. Open Windows Explorer and go to the file’s properties
4. Open CMD and type ‘exiftool(-k).exe wordfilename’
(exiftool : https://exiftool.org/)
20
Metadata
21
Metadata
Practice (metadata gathering by FTK Imager)
1.
Install and open FTK Imager
2.
File – Add all attached devices
3.
Right click on C drive – Export directory listing – Save a file
(FTK Imager : https://accessdata.com/product-download/ftk-imager-version-4-3-0)
22
❑ M
- Data Content Change Time
Time the data content of a file was last modified
❑ A
- Data Last Access Time
Approximate Time when the file data was last accessed
❑ C
- Metadata Change Time
Time this MFT record was last modified
❑ B
- Metadata Create Time
Time file was created in the volume
23
Metadata
Practice (File copy)
1.
Copy the word file and paste under another folder
2.
Check metadata of copied file
3.
Make a folder, and copy and paste to another location
4.
Check metadata of the folder
5.
Create a new file under the folder
6.
Check metadata of the folder
Source (http://www.forensicswiki.org/wiki/MAC_times)
24
Time Stomping (Anti-Forensic Skill)
Timestomping is a technique that modifies the timestamps of a
file (the modify, access, create, and change times), often to mimic
files that are in the same folder. This is done, for example, on files
that have been modified or created by the adversary so that they
do not appear conspicuous to forensic investigators or file
analysis tools.
You can find more details from
https://www.offensive-security.com/metasploit-unleashed/timestomp/
Source (http://www.forensicswiki.org/wiki/MAC_times)
25
Hash Value & File Signature
Hash Value
• Type – MD5, SHA-1, SHA-256
• Use – Integrity check
• Target – Disk, File, Character…
Target
Data
Hash
Algorithm
Source (http://www.forensicswiki.org/wiki/MAC_times)
Hash Value
128-bit
d41d8cd98f00b204e9800998ecf8427e
26
Hash Value & File Signature
Practice (Hash value calculated by HashMyFiles)
1.
Install HashMyFiles (http://www.nirsoft.net/utils/hash_my_files.html)
2.
Create a text file with notepad
3.
Type anything on the file
4.
Open HashMyFiles – Add file – Choose the created file
5.
Make a copy of the file, and follow step 4 to the new copy
6.
Make one more copy of the file, and type 1 space then save
7.
Follow step 4 to the modified file
Source (http://www.forensicswiki.org/wiki/MAC_times)
27
$ S T A N D A R D _ I N F O R M A T I O N
File
Creation
File
Access
File
Modification
File
Rename
File
Copy
Local
File Move
Volume
File Move
Volume
File Move
File
Deletion
Modified –
Time of File
Creation
Modified –
No Change
Modified –
Time of Data
Modification
Modified –
No Change
Modified –
Inherited
from Original
Modified –
No Change
Modified –
Inherited
from Original
Modified –
Inherited
from Original
Modified –
No Change
Access –
No Change
Access –
No Change
Access –
Time of
File Copy
Access –
No Change
Access –
Time of File
Move via CLI
Access –
Time of
Cut/Paste
Access –
No Change
Access –
Time of Access
Access –
Time of
File Creation
Windows Forensic Analysis
You Can’t Protect What You Don’t Know About
digital-forensics.sans.org
$25.00
DFPS_FOR500_v4.9_4-19
Poster Created by Rob Lee with support of the SANS DFIR Faculty
©2019 Rob Lee. All Rights Reserved.
Windows Artifact Analysis:
Evidence of...
XP:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
Win7/8/10:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
Interpretation
• The “*” key – This subkey tracks the most recent files of any extension
input in an OpenSave dialog
• .??? (Three letter extension) – This subkey stores file info from the
OpenSave dialog by specific extension
Email Attachments
Description
The email industry estimates that 80% of email data is stored via
attachments. Email standards only allow text. Attachments must be
encoded with MIME/base64 format.
Location
UserAssist
Description
GUI-based programs launched from the desktop are tracked in
the launcher on a Windows System.
Location
NTUSER.DAT HIVE:
NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\
{GUID}\Count
Interpretation
All values are ROT-13 Encoded
•G
UID for XP
- 7 5048700
Active Desktop
•G
UID for Win7/8/10
- C
EBFF5CD
Executable File Execution
- F 4E57C4B
Shortcut File Execution
Windows 10 Timeline
Description
Win10 records recently used applications and files in a
“timeline” accessible via the “WIN+TAB” key. The data is
recorded in a SQLite database.
C:\Users\<profile>\AppData\Local\ConnectedDevices
Platform\L.<profile>\ActivitiesCache.db
%USERPROFILE%\Local Settings\ApplicationData\Microsoft\Outlook
Interpretation
Win7/8/10:
%USERPROFILE%\AppData\Local\Microsoft\Outlook
•A
pplication execution
• Focus count per application
Interpretation
MS Outlook data files found in these locations include OST and PST
files. One should also check the OLK and Content.Outlook folder, which
might roam depending on the specific version of Outlook used. For more
information on where to find the OLK folder this link has a handy chart:
http://www.hancockcomputertech.com/blog/2010/01/06/find-themicrosoft-outlook-temporary-olk-folder
Skype History
Description
• Skype history keeps a log of chat sessions and files transferred from
one machine to another
• This is turned on by default in Skype installations
Location
Metadata –
Time of Data
Modification
Metadata –
Time of
File Rename
Metadata –
Time of
File Copy
Metadata –
Time of Local
File Move
Metadata –
Inherited
from Original
Metadata –
Inherited
from Original
Metadata –
No Change
Creation –
Time of
File Creation
Creation –
No Change
Creation –
No Change
Creation –
No Change
Creation –
Time of
File Copy
Creation –
No Change
Creation –
Time of File
Move via CLI
Creation –
Inherited
from Original
Creation –
No Change
File
Creation
File
Access
File
Modification
File
Rename
File
Copy
Local
File Move
Volume
File Move
Volume
File Move
File
Deletion
Modified –
Time of File
Creation
Modified –
No Change
Modified –
No Change
Modified –
No Change
Modified –
Time of
File Copy
Modified –
No Change
Modified –
Time of Move
via CLI
Modified –
Time of
Cut/Paste
Modified –
No Change
Access –
Time of
File Creation
Access –
No Change
Access –
No Change
Access –
No Change
Access –
Time of
File Copy
Access –
No Change
Access –
Time of Move
via CLI
Access –
Time of
Cut/Paste
Access –
No Change
Metadata –
Time of
File Creation
Metadata –
No Change
Metadata –
No Change
Metadata –
No Change
Metadata –
Time of
File Copy
Metadata –
No Change
Metadata –
Time of Move
via CLI
Metadata –
Time of
Cut/Paste
Metadata –
No Change
Creation –
Time of
File Creation
Creation –
No Change
Creation –
No Change
Creation –
No Change
Creation –
Time of
File Copy
Creation –
No Change
Creation –
Time of Move
via CLI
Creation –
Time of
Cut/Paste
Creation –
No Change
Shimcache
(move via CLI)
RecentApps
Description
GUI Program execution launched on the Win10 system is
tracked in the RecentApps key
Amcache.hve
Description
• Windows Application Compatibility Database is used by
Windows to identify possible application compatibility
challenges with executables.
• Tracks the executables file name, file size, last modified time,
and in Windows XP the last update time
Location
(cut/paste
via Explorer)
Description
ProgramDataUpdater (a task associated with the Application
Experience Service) uses the registry file Amcache.hve to store
data during process creation
Location
Win7/8/10:
Win7/8/10:
SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Interpretation
Any executable run on the Windows system could be found
in this key. You can use this key to identify systems that
specific malware was executed on. In addition, based on the
interpretation of the time-based data you might be able to
determine the last time of execution or activity on the system.
• Windows XP contains at most 96 entries
- LastUpdateTime is updated when the files are executed
• Windows 7 contains at most 1,024 entries
- LastUpdateTime does not exist on Win7 systems
Jump Lists
Description
• Amcache.hve – Keys = Amcache.hve\Root\File\{Volume GUID}\#######
• Entry for every executable run, full path information, File’s
$StandardInfo Last Modification Time, and Disk volume the
executable was run from
• First Run Time = Last Modification Time of Key
• SHA1 hash of executable also contained in the key
System Resource Usage Monitor
(SRUM)
Description
Records 30 to 60 days of historical system performance.
Applications run, user account responsible for each, and
application and bytes sent/received per application per hour.
Location
• The Windows 7 task bar (Jump List) is engineered to allow
users to “jump” or access items they have frequently or
recently used quickly and easily. This functionality cannot
only include recent media files; it must also include recent
tasks.
• The data stored in the AutomaticDestinations folder will
each have a unique file prepended with the AppID of the
associated application.
SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions {d10ca2fe-6fcf4f6d-848e-b2e99266fa89} = Application Resource Usage Provider C:\Windows\
System32\SRU\
Interpretation
Use tool such as srum_dump.exe to cross correlate the data
between the registry keys and the SRUM ESE Database.
Win7/8/10:
Location
C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\
AutomaticDestinations
NTUSER.DAT\Software\Microsoft\Windows\Current Version\Search\RecentApps
Interpretation
Location
Interpretation
Each GUID key points to a recent application.
AppID = Name of Application
LastAccessTime = Last execution time in UTC
LaunchCount = Number of times executed
XP:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
LastVisitedMRU
Win7/8/10:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
LastVisitedPidlMRU
Interpretation
Tracks the application executables used to open files in
OpenSaveMRU and the last file path used.
Prefetch
Description
• Increases performance of a system by pre-loading code
pages of commonly used applications. Cache Manager
monitors all files and directories referenced for each
application or process and maps them into a .pf file. Utilized
to know an application was executed on a system.
• Limited to 128 files on XP and Win7
• Limited to 1024 files on Win8
• (exename)-(hash).pf
Location
WinXP/7/8/10:
Interpretation
• Each .pf will include last time of execution, number of times
run, and device and file handles used by the program
• Date/Time file by that name and path was first executed
- Creation Date of .pf file (-10 seconds)
• Date/Time file by that name and path was last executed
- Embedded last execution time of .pf file
- Last modification date of .pf file (-10 seconds)
- Win8-10 will contain last 8 times of execution
Windows Background Activity Moderator (BAM)
• First time of execution of application.
- Creation Time = First time item added to the AppID file.
• Last time of execution of application w/file open.
- Modification Time = Last time item added to the AppID file.
• List of Jump List IDs ->
http://www.forensicswiki.org/wiki/List_of_Jump_List_IDs
Tracks the specific executable used by an application to open
the files documented in the OpenSaveMRU key. In addition,
each value also tracks the directory location for the last file
that was accessed by that application.
Example: Notepad.exe was last run using the C:\%USERPROFILE%\
Desktop folder
C:\Windows\Prefetch
BAM/DAM
Location
Description
Location
Interpretation
SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility
Description
Win10:
Last-Visited MRU
C:\Windows\AppCompat\Programs\Amcache.hve
XP:
Location
Outlook
XP:
Metadata –
No Change
Program Execution
Open/Save MRU
Location
Metadata –
Time of
File Creation
The “Evidence of...” categories were originally created by SANS Digital Forensics and Incidence Response faculty for
the SANS course FOR500: Windows Forensic Analysis. The categories map a specific artifact to the analysis questions
that it will help to answer. Use this poster as a cheat-sheet to help you remember where you can discover key
Windows artifacts for computer intrusion, intellectual property theft, and other common cyber crime investigations.
File Download
In the simplest terms, this key tracks files that have been opened or
saved within a Windows shell dialog box. This happens to be a big data
set, not only including web browsers like Internet Explorer and Firefox,
but also a majority of commonly used applications.
(cut/paste
via Explorer)
$ F I L E N A M E
P O S T E R
Description
(No Change only
on NTFS Win7+)
(move via CLI)
Win10:
SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}
Investigative Notes
Provides full path of the executable file that was run on the
system and last execution date/time
XP:
C:\Documents and Settings\<username>\Application\Skype\<skype-name>
Win7/8/10:
C:\%USERPROFILE%\AppData\Roaming\Skype\<skype-name>
Deleted File or File Knowledge
Interpretation
Each entry will have a date/time value and a Skype username associated
with the action.
XP Search – ACMRU
Browser Artifacts
Description
Not directly related to “File Download”. Details stored for each local user
account. Records number of times visited (frequency).
Location
Internet Explorer
• IE8-9:
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\index.dat
• IE10-11:
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
Firefox
• v3-25:
%userprofile%\AppData\Roaming\Mozilla\ Firefox\Profiles\<random text>.default\downloads.sqlite
• v 26+:
%userprofile%\AppData\Roaming\Mozilla\ Firefox\Profiles\<random text>.default\places.sqlite
Table:moz_annos
Chrome:
• Win7/8/10:
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History
Interpretation
Many sites in history will list the files that were opened from remote
sites and downloaded to the local system. History will record the access
to the file on the website that was accessed via a link.
Downloads
Description
Firefox and IE has a built-in download manager application which keeps
a history of every file downloaded by the user. This browser artifact can
provide excellent information about what sites a user has been visiting
and what kinds of files they have been downloading from them.
Location
Firefox:
• XP:
%userprofile%\Application Data\Mozilla\ Firefox\Profiles\<random text>.default\downloads.sqlite
• Win7/8/10:
%userprofile%\AppData\Roaming\Mozilla\ Firefox\Profiles\<random text>.default\downloads.sqlite
Internet Explorer:
• IE8-9:
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\ IEDownloadHistory\
• IE10-11:
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\ WebCacheV*.dat
Description
You can search for a wide range of information through the
search assistant on a Windows XP machine. The search assistant
will remember a user’s search terms for filenames, computers,
or words that are inside a file. This is an example of where
you can find the “Search History” on the Windows system.
Location
Search – WordWheelQuery
Description
NTUSER.DAT HIVE
NTUSER.DAT\Software\Microsoft\Search Assistant\ACMru\####
Interpretation
• Search the Internet – ####=5001
•A
ll or part of a document name – ####=5603
• A word or phrase in a file – ####=5604
• Printers, Computers and People – ####=5647
Thumbcache
Location
C:\%USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer
Interpretation
• T hese are created when a user switches a folder to
thumbnail mode or views pictures via a slide show. As it
were, our thumbs are now stored in separate database files.
Win7+ has 4 sizes for thumbnails and the files in the cache
folder reflect this:
- 32 -> small
- 96 -> medium
- 256 -> large
- 1024 -> extra large
• T he thumbcache will store the thumbnail copy of the picture
based on the thumbnail size in the content of the equivalent
database file.
Location
Win7/8/10 NTUSER.DAT Hive
Automatically created anywhere with homegroup enabled
Interpretation
Keywords are added in Unicode and listed in temporal order
in an MRUlist
Automatically created anywhere and accessed via a UNC Path
(local or remote)
Win7/8/10 Recycle Bin
Interpretation
Include:
• Thumbnail Picture of Original Picture
• Document Thumbnail – Even if Deleted
• Last Modification Time (XP Only)
• Original Filename (XP Only)
Description
The recycle bin is a very important location on a Windows file
system to understand. It can help you when accomplishing
a forensic investigation, as every file that is deleted from a
Windows recycle bin aware program is generally first put in
the recycle bin.
IE|Edge file://
Location
Hidden System Folder
Description
Win7/8/10
A little-known fact about the IE History is that the information
stored in the history files is not just related to Internet
browsing. The history also records local and remote (via
network shares) file access, giving us an excellent means for
determining which files and applications were accessed on
the system, day by day.
• C:\$Recycle.bin
• Deleted Time and Original Filename contained in separate
files for each deleted recovery file
• SID can be mapped to user via Registry Analysis
• Win7/8/10
- Files Preceded by $I###### files contain
• Original PATH and name
• Deletion Date/Time
- Files Preceded by $R###### files contain
• Recovery Data
Location
Internet Explorer:
IE6-7
%USERPROFILE%\LocalSettings\History\History.IE5
IE8-9
%USERPROFILE%\AppData\Local\Microsoft\WindowsHistory\History.IE5
IE10-11
XP
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
LastVisitedMRU
Win7/8/10
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
LastVisitedPidlMRU
Interpretation
Tracks the application executables used to open files in
OpenSaveMRU and the last file path used.
XP Recycle Bin
Description
The recycle bin is a very important location on a Windows file
system to understand. It can help you when accomplishing
a forensic investigation, as every file that is deleted from a
Windows recycle bin aware program is generally first put in
the recycle bin.
Location
Hidden System Folder
Interpretation
Windows XP
• C:\RECYCLER” 2000/NT/XP/2003
• Subfolder is created with user’s SID
• Hidden file in directory called “INFO2”
• INFO2 Contains Deleted Time and Original Filename
• Filename in both ASCII and UNICODE
Interpretation
• SID can be mapped to user via Registry Analysis
•M
aps file name to the actual name and path it was deleted from
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
Interpretation
• Stored in index.dat as: file:///C:/directory/filename.ext
• Does not mean file was opened in browser
OP ER AT ING SYST EM & D EVICE IN- D EP T H
Downloads will include:
• Filename, Size, and Type
• Download from and Referring Page
• File Save Location
• Application Used to Open File
• Download Start and End Times
FOR526
FOR498
Advanced Memory
Forensics &
Threat Detection
Battlefield
Forensics & Data
Acquisition
ADS Zone.Identifer
Description
FOR585
FOR500
@sansforensics
sansforensics
Smartphone
Forensic Analysis
In-Depth
Windows Forensics
GCFE
Interpretation
Files with an ADS Zone.Identifier and contains ZoneID=3 were downloaded
from the Internet
• URLZONE_TRUSTED = ZoneID = 2
• URLZONE_INTERNET = ZoneID = 3
• URLZONE_UNTRUSTED = ZoneID = 4
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
Location
Description
Thumbnails of pictures, office documents, and folders exist in
a database called the thumbcache. Each user will have their
own database based on the thumbnail sizes viewed by the
user (small, medium, large, and extra-larger)
Location
Tracks the specific executable used by an application to open
the files documented in the OpenSaveMRU key. In addition,
each value also tracks the directory location for the last file
that was accessed by that application.
Keywords searched for from the START menu bar on a
Windows 7 machine.
Win7/8/10
Last-Visited MRU
Description
Description
Hidden file in directory where images on machine exist stored
in a smaller thumbnail graphics. thumbs.db catalogs pictures
in a folder and stores a copy of the thumbnail even if the
pictures were deleted.
WinXP/Win8|8.1
Interpretation
Starting with XP SP2 when files are downloaded from the “Internet Zone”
via a browser to a NTFS volume, an alternate data stream is added to the
file. The alternate data stream is named “Zone.Identifier.”
Thumbs.db
INCID ENT RESPO NSE & THREAT HUNTING
FOR508
FOR572
FOR578
FOR610
GCTI
GREM
Advanced Incident
Response, Threat
Hunting, and Digital
Forensics GCFA
Cyber Threat Intelligence
GASF
FOR518
dfir.to/MAIL-LIST
dfir.to/DFIRCast
Mac and iOS
Forensic Analysis
and Incident
Response
SEC504
Advanced Network
Forensics: Threat Hunting,
Analysis, and Incident
Response GNFA
REM: Malware Analysis
Hacker Tools, Techniques,
Exploits, and Incident Handling
GCIH
Network Activity/Physical Location
Timezone
Network History
Description
Browser Search Terms
Description
Identifies the current system time zone.
• Identify networks that the computer has been connected to
• Networks could be wireless or wired
• Identify domain name/intranet name
• Identify SSID
• Identify Gateway MAC Address
Location
SYSTEM Hive:
SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Interpretation
• Time activity is incredibly useful for correlation of activity
• Internal log files and date/timestamps will be based on the
system time zone information
•Y
ou might have other network devices and you will need to
correlate information to the time zone information collected here.
Location
Win7/8/10 SOFTWARE HIVE:
• SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
• SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed
• SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache
Interpretation
Cookies
• Identifying intranets and networks that a computer has
connected to is incredibly important
• Not only can you determine the intranet name, you can
determine the last time the network was connected to it based
on the last write time of the key
• This will also list any networks that have been connected to via
a VPN
•M
AC Address of SSID for Gateway could be physically triangulated
Description
Cookies give insight into what websites have been visited and
what activities may have taken place there.
Location
Internet Explorer
• IE6-8:
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies
• IE10:
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies
• IE11:
%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookies
Firefox
• XP:
%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\<random text>.default\
cookies.sqlite
•W
in7/8/10:
%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\
cookies.sqlite
Chrome
• XP:
%USERPROFILE%\Local Settings\ApplicationData\Google\Chrome\User Data\Default\
Local Storage
•W
in7/8/10:
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Local Storage
Description
Records websites visited by date and time. Details stored for each
local user account. Records number of times visited (frequency).
Also tracks access of local system files. This will also include the
website history of search terms in search engines.
Location
Internet Explorer
• IE6-7:
%USERPROFILE%\Local Settings\History\History.IE5
• IE8-9:
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5
• IE10-11:
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
Firefox
• XP:
%userprofile%\Application Data\Mozilla\Firefox\Profiles\
<randomtext>.default\places.sqlite
• Win7/8/10:
%userprofile%\AppData\Roaming\Mozilla\Firefox\
Profiles\<randomtext>.default\places.sqlite
System Resource Usage
Monitor (SRUM)
WLAN Event Log
Description
Determine what wireless networks the system associated with and
identify network characteristics to find location
Relevant Event IDs
• 11000 – Wireless network association started
• 8001 – Successful connection to wireless network
• 8002 – Failed connection to wireless network
• 8003 – Disconnect from wireless network
• 6100 – Network diagnostics (System log)
Location
Microsoft-Windows-WLAN-AutoConfig Operational.evtx
Interpretation
• Shows historical record of wireless network connections
• Contains SSID and BSSID (MAC address), which can be used to
geolocate wireless access point *(no BSSID on Win8+)
Description
Records 30 to 60 days of historical system performance.
Applications run, user account responsible for each,
and application and bytes sent/received per application
per hour.
Location
SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions
{973F5D5C-1D90-4944-BE8E-24B94231A174} = Windows Network Data Usage Monitor
{DD6636C4-8929-4683-974E-22C046A43763} = Windows Network Connectivity Usage
Monitor
SOFTWARE\Microsoft\WlanSvc\Interfaces\
C:\Windows\System32\SRU\
Interpretation
Use tool such as srum_dump.exe to cross correlate the data between
the registry keys and the SRUM ESE Database.
File/Folder Opening
Open/Save MRU
Account Usage
Shell Bags
Description
In the simplest terms, this key tracks files that have been opened or
saved within a Windows shell dialog box. This happens to be a big
data set, not only including web browsers like Internet Explorer and
Firefox, but also a majority of commonly used applications.
Description
• Which folders were accessed on the local machine, the network,
and/or removable devices. Evidence of previously existing
folders after deletion/overwrite. When certain folders were
accessed.
Location
Location
XP:
Explorer Access:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
OpenSaveMRU
Last-Visited MRU
• USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
• USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Win7/8/10:
Desktop Access:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
OpenSavePIDlMRU
• NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
• NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
Interpretation
• The “*” key – This subkey tracks the most recent files of any
extension input in an OpenSave dialog
• .??? (Three letter extension) – This subkey stores file info from
the OpenSave dialog by specific extension
Recent Files
Description
Tracks the specific executable used by an application to open
the files documented in the OpenSaveMRU key. In addition, each
value also tracks the directory location for the last file that was
accessed by that application.
Example: Notepad.exe was last run using the
C:\Users\Rob\Desktop folder
Location
XP:
Win7/8/10:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
LastVisitedPidlMRU
Interpretation
Stores information about which folders were most recently
browsed by the user.
Shortcut (LNK) Files
Registry Key that will track the last files and folders opened and
is used to populate data in “Recent” menus of the Start menu.
Location
• Shortcut Files automatically created by Windows
- Recent Items
-O
pening local and remote data files and documents will
generate a shortcut file (.lnk)
Location
NTUSER.DAT:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
XP:
Interpretation
Win7/8/10:
• C:\%USERPROFILE%\Recent
• RecentDocs – Overall key will track the overall order of the
last 150 files or folders opened. MRU list will keep track of the
temporal order in which each file/folder was opened. The last
entry and modification time of this key will be the time and
location the last file of a specific extension was opened.
• .??? – This subkey stores the last files with a specific extension
that were opened. MRU list will keep track of the temporal
order in which each file was opened. The last entry and
modification time of this key will be the time when and location
where the last file of a specific extension was opened.
• Folder – This subkey stores the last folders that were opened.
MRU list will keep track of the temporal order in which each
folder was opened. The last entry and modification time of this
key will be the time and location of the last folder opened.
Interpretation
Tracks the application executables used to open files in
OpenSaveMRU and the last file path used.
Jump Lists
Interpretation
• Date/Time file of that name was first opened
- Creation Date of Shortcut (LNK) File
• Date/Time file of that name was last opened
- Last Modification Date of Shortcut (LNK) File
• LNKTarget File (Internal LNK File Information) Data:
- Modified, Access, and Creation times of the target file
- Volume Information (Name, Type, Serial Number)
- Network Share information
- Original Location
- Name of System
Description
• The Windows 7 task bar (Jump List) is engineered to allow users
to “jump” or access items have frequently or recently used
quickly and easily. This functionality cannot only include recent
media files; it must also include recent tasks.
• The data stored in the AutomaticDestinations folder will each
have a unique file prepended with the AppID of the association
application and embedded with LNK files in each stream.
Prefetch
C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
• Increases performance of a system by pre-loading code pages
of commonly used applications. Cache Manager monitors all
files and directories referenced for each application or process
and maps them into a .pf file. Utilized to know an application
was executed on a system.
• Limited to 128 files on XP and Win7
• Limited to 1024 files on Win8-10
• (exename)-(hash).pf
Interpretation
Location
Location
Win7/8/10:
• Using the Structured Storage Viewer, open up one of the
AutomaticDestination jumplist files.
• Each one of these files is a separate LNK file. They are also
stored numerically in order from the earliest one (usually 1) to
the most recent (largest integer value).
WinXP/7/8/10:
Interpretation
Logon Events can give us very specific information regarding
the nature of account authorizations on a system if we know
where to look and how to decipher the data that we find. In
addition to telling us the date, time, username, hostname, and
success/failure status of a logon, Logon Events also enables us
to determine by exactly what means a logon was attempted.
• Only the last login time will be stored in the registry key
Location
Location
• C:\windows\system32\config\SAM
Key Identification
Description
A little known fact about the IE History is that the information
stored in the history files is not just related to Internet browsing.
The history also records local, removable, and remote (via
network shares) file access, giving us an excellent means for
determining which files and applications were accessed on the
system, day by day.
Internet Explorer:
• IE6-7:
%USERPROFILE%\Local Settings\History\ History.IE5
• IE8-9:
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5
• IE10-11:
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
Interpretation
• Stored in index.dat as: file:///C:/directory/filename.ext
• Does not mean file was opened in browser
Description
Lists the last time the password of a specific local user has been
changed.
Location
• C:\windows\system32\config\SAM
MS Office programs will track their own Recent Files list to make
it easier for users to remember the last file they were editing.
NTUSER.DAT\Software\Microsoft\Office\VERSION
• 14.0 = Office 2010
• 11.0 = Office 2003
• 12.0 = Office 2007
• 10.0 = Office XP
NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU
• 15.0 = Office 365
Interpretation
Similar to the Recent Files, this will track the last files that were
opened by each MS Office application. The last entry added, per
the MRU, will be the time the last file was opened by a specific
MS Office application.
• Can examine each .pf file to look for file handles recently used
•C
an examine each .pf file to look for device handles recently used
Track USB devices plugged into a machine.
Location
• S YSTEM\CurrentControlSet\Enum\USBSTOR
• S YSTEM\CurrentControlSet\Enum\USB
Interpretation
• Identify vendor, product, and version of a USB device
plugged into a machine
• Identify a unique USB device plugged into the machine
•D
etermine the time a device was plugged into the
machine
•D
evices that do not have a unique serial number will
have an “&” in the second character of the serial number.
Description
First/Last Times
Determine temporal usage of specific USB devices
connected to a Windows Machine.
Location First Time
Plug and Play Log Files
C:\Windows\setupapi.log
Win7/8/10:
Interpretation
• Search for Device Serial Number
• Log File times are set to local time zone
Location First, Last, and Removal Times
(Win7/8/10 Only)
System Hive:
\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\
{83da6326-97a6-4088-9453-a19231573b29}\####
0064 = First Install (Win7-10)
0066 = Last Connected (Win8-10)
0067 = Last Removal (Win8-10)
User
Find User that used the Unique USB Device.
Location
• L ook for GUID from SYSTEM\MountedDevices
• N TUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\
MountPoints2
Interpretation
Location System Log File
Win7/8/10:
%system root%\System32\winevt\logs\System.evtx
Interpretation
•E
vent ID: 20001 – Plug and Play driver
install attempted
•E
vent ID 20001
• Timestamp
•D
evice information
•D
evice serial number
• Status (0 = no errors)
Description
C:\Windows\inf\setupapi.dev.log
Description
When a Plug and Play driver install is
attempted, the service will log an ID
20001 event and provide a Status within
the event. It is important to note that
this event will trigger for any Plug and
Play-capable device, including but not
limited to USB, Firewire, and PCMCIA
devices.
Volume Serial
Number
XP:
This GUID will be used next to identify the user that
plugged in the device. The last write time of this key
also corresponds to the last time the device was
plugged into the machine by that user. The number
will be referenced in the user’s personal mountpoints
key in the NTUSER.DAT Hive.
Drive Letter and
Volume Name
Location Security Log
%SYSTEM ROOT%\System32\winevt\logs\Security.evtx
Interpretation
• Win7/8/10 – Interpretation
- Event ID 4778 – Session Connected/Reconnected
- Event ID 4779 – Session Disconnected
• Event log provides hostname and IP address of remote
machine making the connection
• On workstations you will often see current console session
disconnected (4779) followed by RDP connection (4778)
• Analyze logs for suspicious services running at boot time
• Review services started or stopped around the time of a
suspected compromise
Location
Discover the Volume Serial Number of
the Filesystem Partition on the USB.
(NOTE: This is not the USB Unique Serial
Number, which is hardcoded into the
device firmware.)
Location
• S OFTWARE\Microsoft\Windows Portable Devices\Devices
• S YSTEM\MountedDevices
- Examine Drive Letters looking at Value
Data Looking for Serial Number
Interpretation
Identify the USB device that was last mapped
to a specific drive letter. This technique will
only work for the last drive mapped. It does
not contain historical records of every drive
letter mapped to a removable drive.
Shortcut (LNK) Files
Description
Shortcut files automatically created by Windows
• Recent Items
•O
pen local and remote data files and
documents will generate a shortcut file (.lnk)
Location
• S OFTWARE\Microsoft\WindowsNT\CurrentVersion\
ENDMgmt
•U
se Volume Name and USB Unique
Serial Number to:
- F ind last integer number in line
-C
onvert Decimal Serial Number into
Hex Serial Number
XP:
Interpretation
•D
ate/Time file of that name was first opened
- Creation Date of Shortcut (LNK) File
• Date/Time file of that name was last opened
- Last Modification Date of Shortcut (LNK) File
• L NKTarget File (Internal LNK File
Information) Data:
-M
odified, Access, and Creation times of the
target file
-V
olume Information (Name, Type, Serial
Number)
- Network Share information
- Original Location
- Name of System
•K
nowing both the Volume Serial
Number and the Volume Name,
you can correlate the data across
SHORTCUT File (LNK) analysis and the
RECENTDOCs key.
• T he Shortcut File (LNK) contains the
Volume Serial Number and Name
•R
ecentDocs Registry Key, in most
cases, will contain the volume name
when the USB device is opened via
Explorer
• %USERPROFILE%\Recent
Win7/8/10
• %USERPROFILE%\AppData\Roaming\Microsoft\Windows\
Recent
• %USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent
Interpretation
Authentication Events
Authentication mechanisms
Location
Recorded on system that authenticated credentials
Local Account/Workgroup = on workstation
Domain/Active Directory = on domain controller
Win7/8/10:
%SYSTEM ROOT%\System32\winevt\logs\Security.evtx
Interpretation
Event ID Codes (NTLM protocol)
• 4776: Successful/Failed account authentication
Event ID Codes (Kerberos protocol)
• 4768: Ticket Granting Ticket was granted (successful logon)
• 4769: Service Ticket requested (access to server resource)
• 4771: Pre-authentication failed (failed logon)
Success/Fail Logons
All Event IDs reference the System Log
7034 – Service crashed unexpectedly
7035 – Service sent a Start/Stop control
7036 – Service started or stopped
7040 – Start type changed (Boot | On Request | Disabled)
7045 – A service was installed on the system (Win2008R2+)
4697 – A service was installed on the system (from Security log)
Description
Interpretation
• Win7/8/10 – Interpretation
• 4624 – Successful Logon
• 4625 – Failed Logon
• 4634 | 4647 – Successful Logoff
• 4648 – Logon using explicit credentials (Runas)
• 4672 – Account logon with superuser rights (Administrator)
• 4720 – An account was created
• All Event IDs except 4697 reference the System Log
• A large amount of malware and worms in the wild utilize
Services
• Services started on boot illustrate persistence (desirable in
malware)
• Services can crash due to attacks like process injection
Determine which accounts have been used for attempted
logons. Track account usage for known compromised accounts.
Location
Win7/8/10:
%system root%\System32\winevt\logs\Security.evtx
Interpretation
Browser Usage
History
Description
Location
Win7/8/10:
Logon via console
Network Logon
Batch Logon
Windows Service Logon
Credentials used to unlock screen
Network logon sending credentials (cleartext)
Different credentials used than logged on user
Remote interactive logon (RDP)
Cached credentials used to logon
Cached remote interactive (similar to Type 10)
Cached unlock (similar to Type 7)
Description
Win7/8/10:
Location
• Find ParentIdPrefix – SYSTEM\CurrentControlSet\Enum\
USBSTOR
• Using ParentIdPrefix Discover Last Mount Point
– SYSTEM\MountedDevices
Explanation
2
3
4
5
7
8
9
10
11
12
13
Track Remote Desktop Protocol logons to target machines.
Description
XP:
Logon Type
Description
Records websites visited by date and time. Details stored
for each local user account. Records number of times
visited (frequency). Also tracks access of local system files.
Discover the last drive letter of the USB
Device when it was plugged into the machine.
Interpretation
RDP Usage
Description
Description
Interpretation
PnP Events
Win7/8/10:
Event ID 4624
• SAM\Domains\Account\Users
Services Events
Office Recent Files
C:\Windows\Prefetch
Description
• SAM\Domains\Account\Users
Last Password Change
External Device/USB Usage
Description
Description
• Only the last password change time will be stored in the
registry key
Location
Description
Lists the local accounts of the system and their equivalent
security identifiers.
Logon Types
Interpretation
IE|Edge file://
Location
• C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\
• C:\%USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent\
Note these are primary locations of LNK files. They can also be
found in other locations.
Description
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
LastVisitedMRU
Description
Description
Last Login
Internet Explorer
• IE6-7: %USERPROFILE%\Local Settings\History\History.IE5
• IE8-9: %USERPROFILE%\AppData\Local\Microsoft\Windows\History\
History.IE5
• IE10, 11, Edge: %USERPROFILE%\AppData\Local\Microsoft\Windows\
WebCache\WebCacheV*.dat
Firefox
• X P: %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\<random
text>.default\places.sqlite
• W
in7/8/10: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\
Profiles\<random text>.default\places.sqlite
Chrome
• XP: %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User
Data\Default\History
• W
in7/8/10: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\
Default\History
Cookies
Description
Cookies give insight into what websites have been visited
and what activities may have taken place there.
Location
Internet Explorer
• IE8-9: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies
• IE10: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies
• IE11: %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookies
• Edge: %USERPROFILE%\AppData\Local\Packages\microsoft.
microsoftedge_<APPID>\AC\MicrosoftEdge\Cookies
Firefox
• XP: %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\<random
text>.default\cookies.sqlite
• W
in7/8/10: %
USERPROFILE%\AppData\Roaming\Mozilla\Firefox\
Profiles\<randomtext>.default\cookies.sqlite
Chrome
• X P: %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User
Data\Default\Local Storage\
• W
in7/8/10: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\
Default\Local Storage\
Cache
Description
• The cache is where web page components can be stored
locally to speed up subsequent visits
• Gives the investigator a “snapshot in time” of what a
user was looking at online
- Identifies websites which were visited
- Provides the actual files the user viewed on a given
website
- Cached files are tied to a specific local user account
- T imestamps show when the site was first saved and last
viewed
Location
Internet Explorer
• IE8-9: %USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary
Internet Files\Content.IE5
• IE10: %USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary
Internet Files\Content.IE5
• IE11: %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IE
• Edge: %USERPROFILE%\AppData\Local\Packages\microsoft.
microsoftedge_<APPID>\AC\MicrosoftEdge\Cache
Firefox
• XP: %USERPROFILE%\Local Settings\ApplicationData\Mozilla\Firefox\
Profiles\<randomtext>.default\Cache
• W
in7/8/10: %USERPROFILE%\AppData\Local\Mozilla\Firefox\
Profiles\<randomtext>.default\Cache
Chrome
• XP: %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User
Data\Default\Cache - data_# and f_######
• W
in7/8/10: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\
Default\Cache\ - data_# and f_######
Flash & Super Cookies
Description
Local Stored Objects (LSOs), or Flash Cookies, have
become ubiquitous on most systems due to the extremely
high penetration of Flash applications across the Internet.
They tend to be much more persistent because they do
not expire, and there is no built-in mechanism within the
browser to remove them. In fact, many sites have begun
using LSOs for their tracking mechanisms because they
rarely get cleared like traditional cookies.
Location
Win7/8/10:
%APPDATA%\Roaming\Macromedia\FlashPlayer\#SharedObjects\<randompr
ofileid>
Interpretation
• Websites visited
• User account used to visit the site
• When cookie was created and last accessed
Session Restore
Description
Automatic Crash Recovery features built into the browser.
Location
Internet Explorer
Win7/8/10: %USERPROFILE%/AppData/Local/Microsoft/Internet Explorer/
Recovery
Firefox
Win7/8/10: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\
Profiles\<randomtext>.default\sessionstore.js
Chrome
Win7/8/10: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\
Default\
Files = Current Session, Current Tabs, Last Session, Last Tabs
Interpretation
• Historical websites viewed in each tab
• Referring websites
• Time session ended
• Modified time of .dat files in LastActive folder
• Time each tab opened (only when crash occurred)
• Creation time of .dat files in Active folder
Google Analytics Cookies
Description
Google Analytics (GA) has developed an extremely
sophisticated methodology for tracking site visits, user
activity, and paid search. Since GA is largely free, it has a
commanding share of the market, estimated at over 80%
of sites using traffic analysis and over 50% of all sites.
__utma – Unique visitors
• Domain Hash
• Visitor ID
• Cookie Creation Time
• Time of 2nd most
recent visit
• Time of most recent visit
• Number of visits
__utmb – Session tracking
• Domain hash
• Page views in current session
• Outbound link clicks
• Time current session started
__utmz – Traffic sources
• Domain Hash
• Last Update time
• Number of visits
• Number of different types of visits
• Source used to access site
• Google Adwords campaign name
• Access Method (organic, referral, cpc, email, direct)
• Keyword used to find site (non-SSL only)
INCS712 Lecture3
COMPUTER
FORENSICS
Forensic Analysis
2
Preparing a Digital Forensics Investigation
◉ The role of digital forensics professional is to
o Gather evidence to prove that a suspect committed a
o
o
o
o
crime or violated a company policy
Collect evidence that can be offered in court or at a
corporate inquiry
Preserve the evidence on a different computer
Investigate the suspect’s computer
Present the findings
◉ Chain of custody
o Route the evidence takes from the time you find it until
the case is closed or goes to court
Important Factors
◉ Legal procedures
o Not compromising evidence
◉
◉
◉
◉
◉
Treat every piece of evidence as it will be used in court
Documentation
Chain of Custody
Write Blocker
Imaging
o Bit by bit copy of a piece of electronic media (Hard
drive)
What Should be Avoided During an Investigation?
◉ Changing data
o Changing time or date stamps
o Changing files
◉ Overwriting unallocated disk space
o This can happen when re-booting
Common Computer Forensic Software
◉ OpenText(Guidance Software) - EnCase Forensic
◉ Accessdata - FTK
◉ X-Ways
◉ Cellebrite - UFED
◉ MSAB - XRY
◉ Blackbag - MacQuisition
◉ Magnet - Axiom
◉ Oxygen Forensics
◉ Griffeye
◉ Nuix
EnCase Forensic
◉ Acquisition
◉ Reporting
◉ EnScript :
o Scripting facility
o Various API's for interacting with evidence
◉ Collect, Analyze and examine data
o Deleted files
o Unallocated space
o File slack
◉ Duplicates of original data (Imaging)
o Accuracy can be verified by hash and Cyclic
Redundancy Check values
EnCase Forensic
◉ Many operating systems
o
o
o
o
Windows
Linux
Apple iOS
Sun/Oracle Solaris
◉ Supported smartphones
◉ Recommended to run on Window operating system
EnCase Forensic
File Signatures
EnCase Gallery
EnCase Document View
Deleted Files
Investigation Search
14
Perform a Search
◉ Raw Search
o A search based on keywords that search the entire
drive for a match
o Slow process on larger drives
◉ Indexed Search
o A search that requires the drive to be indexed
o Indexing can take a long time
o Searches are instantaneous
Indexed Search
Bookmark Specific Evidence
◉ Bookmark Findings
o
o
o
o
o
o
o
Raw Text Bookmarks
Data Structure Bookmarks
Notable File Bookmarks
Multiple Notable File Bookmarks
Note Bookmarks
Table Bookmarks
Transcript Bookmarks
Bookmark Screen
Tools and Approaches
19
Understanding Forensic Workstations and
Software
◉ Investigations are conducted in a computer forensics lab
◉ Computer forensics workstation
o A specially configured PC
o Loaded with additional bays and forensics software
◉ To avoid altering the evidence use:
o Write-blockers devices
o Enable you to boot to Windows without writing data to
the evidence drive
Setting Up Your Workstation for Digital Forensics
◉ Basic requirements
o
o
o
o
o
o
o
A workstation running Windows 10 or newer OS
A write-blocker device
Digital forensics acquisition tool
Digital forensics analysis tool
Target drive to receive the source or suspect disk data
Spare PATA and/or SATA ports
USB ports
Setting Up Your Workstation for Digital Forensics
◉ Additional useful items
o
o
o
o
o
o
o
o
Network interface card (NIC)
Extra USB ports
FireWire 400/800 ports
SCSI (Small Computer System Interface) card
Disk editor tool
Text editor tool
Graphics viewer program
Other specialized viewing tools
Understanding Forensic Workstations and
Software
Understanding Forensic Workstations and
Software
Setting Up Your Workstation for Digital Forensics
◉ Disable Autorun / Autoplay
◉ Make USB devices read-only
◉ Disable automount
◉ Disable search indexing
◉ Patching and verification
◉ Carefully consider antivirus / antimalware program
◉ Show hidden file / extension
◉ Power Management Off
◉ Disable Windows Updates
https://digital-forensics.sans.org/blog/2010/12/17/digital-forensics-configure-windows-investigative-workstations/
Gathering Resources
◉ Gather resources identified in investigation plan
◉ Items needed
Original storage media
Evidence custody form
Evidence container for the storage media
Imaging tool
Forensic workstation to copy and examine your
evidence
o Securable evidence locker, cabinet, or safe
o
o
o
o
o
Collecting the Evidence
◉ Avoid damaging the evidence
◉ Steps
o
o
o
o
o
o
Meet the IT manager to interview him or her
Fill out the evidence form, have the IT manager sign it
Place the evidence in a secure container
Carry the evidence to the computer forensics lab
Complete the evidence custody form
Secure evidence by locking the container
Completing the Case
◉ You need to produce a final report
o State what you did and what you found
◉ Repeatable findings
o Repeat the steps and produce the same result
◉ If required, use a report template
◉ Report should show conclusive evidence
Completing the Case
◉ Keep a written journal of everything you do
o Your notes can be used in court
◉ Answer the six Ws:
o Who, what, when, where, why, and how
◉ You must also explain computer and network processes
Critiquing the Case
◉ Ask yourself the following questions:
o How could you improve your performance in the case?
o Did you expect the results you found? Did the case
develop in ways you did not expect?
o Was the documentation as thorough as it could have
been?
o What feedback has been received from the requesting
source?
Critiquing the Case
◉ Ask yourself the following questions (cont’d):
o Did you discover any new problems? If so, what are
they?
o Did you use new techniques during the case or during
research?
PRACTICE
32
Autopsy Forensic Analyzer
33
INCS712 Lecture4
COMPUTER
FORENSICS
Forensic Process/Phases
1.
Identification
2.
Collection
3.
Preservation
4.
Examination
5.
Analysis
6.
Presentation/Report
2
Identification
◉ The first step is identifying evidence and potential
containers of evidence
◉ More difficult than it sounds
o Small scale devices
o Non-traditional storage media
o Multiple possible crime scenes
3
Identification
◉ Context of the investigation is very important
◉ Do not overlook non-electronic sources of evidence
o Manuals, papers, printouts, etc.
4
Collection
◉ Care must be taken to minimize contamination
◉ Collect or seize the system(s)
◉ Create forensic image
o Live or Static(dead)?
o Do you own the system
o What does your policy say?
5
Collection: Documentation
6
Collection: Documentation
◉ Take detailed photos and notes of the computer / monitor
o If the computer is “on”, take photos of what is
displayed on the monitor – DO NOT ALTER THE SCENE
7
Collection: Documentation
◉ Make sure to take photos and notes of all connections to
the computer/other devices
8
Collection: Imaging
◉ Rule of Thumb: make 2 copies and don’t work from the
original (if possible)
◉ A file copy does not recover all data areas of the device for
examination
◉ Working from a duplicate image
o Preserves the original evidence
o Prevents inadvertent alteration of original evidence
during examination
o Allows recreation of the duplicate image if necessary
9
Collection: Imaging
◉ Digital evidence can be duplicated with no degradation
from copy to copy
o This is not the case with most other forms of evidence
10
Collection: Imaging
◉ Write blockers
o Hardware
o Software(https://www.thewindowsclub.com/enable-or-disable-usbwrite-protection)
◉ Hardware write blockers are becoming the industry
standard
o USB, SATA, IDE, SCSI, SIM, Memory Cards
o Not BIOS dependent
o But still verify prior to usage!
11
Collection: Imaging
Most commonly used : Tableau Forensic Write Blocker
Destination
Source
Source data
Image data
Write Blocker
Read
Write
Examiner PC
(Imaging tool)
1001100011010…
0110100101010…
01010110011101…
…
D02101001A.E01
D02101002A.DD
D02201001A.AFF
…
12
Collection: Imaging
◉ Forensic Image (Bitstream, bit-by-bit)
o Bit by Bit imaging captures all the data on the copied
media including hidden and residual data (e.g., slack
space, swap, residue, unused space, deleted files etc.)
◉ Duplicate copy when necessary
◉ Often the “smoking gun” is found in the residual data.
◉ Imaging from a disk (drive) to a file is the norm.
Now transitioning to targeted collection
◉ Remember avoid working from original
◉ Use a write blocker even when examining a copy!
13
Imaging: Authenticity & Integrity
◉ How do we demonstrate that the image is a true unaltered
copy of the original? -Hashing (MD5, SHA 256)
◉ Hashing - A mathematical algorithm that produces a
unique value (128 Bit, 512 Bit)
o Can be performed on various types of data (files,
partitions, physical drive)
◉ The value can be used to demonstrate the integrity of your
data
o Changes made to data will result in a different value
◉ The same process can be used to demonstrate the image
has not changed from time-1 to time-n
14
Examination
◉ Higher level look at the file system representation of the
data on the media
◉ Verify integrity of image
o MD5, SHA1 etc.
◉ Recover deleted files & folders
◉ Determine keyword list
o What are you searching for
◉ Determine timelines
o What is the time zone setting of the suspect system
o What time frame is of importance
o Graphical representation is very useful
15
Examination
◉ Examine directory tree
◉
◉
◉
◉
o What looks out of place
o Stego tools installed
o Evidence Scrubbers
Perform keyword searches
o Indexed
o Slack & unallocated space
Search for relevant evidence types
o Hash sets can be useful
o Graphics
o Spreadsheets
o Hacking tools
o Etc.
Look for the obvious first
When is enough enough??
16
Issues
◉ lack of certification for tools
◉ lack of standards procedure
◉ lack of certification for professionals
◉ lack of understanding by Judiciary
◉ Rapid changes in technology!
◉ Immature Scientific Discipline
17
Digital Investigation Process
18
Preparing for Digital Investigations
◉ Digital investigations fall into two categories:
o Public-sector investigations
o Private-sector investigations
19
Preparing for Digital Investigations
◉ Public-sector investigations involve government agencies
responsible for criminal investigations and prosecution
◉ Fourth Amendment to the U.S. Constitution
o Restrict government search and seizure
◉ The Department of Justice (DOJ) updates information on
computer search and seizure regularly
◉ Private-sector investigations focus more on policy
violations
20
Understanding Law Enforcement Agency Investigations
◉ When conducting public-sector investigations, you must
understand laws on computer-related crimes including:
o Standard legal processes
o Guidelines on search and seizure
o How to build a criminal case
◉ The Computer Fraud and Abuse Act was passed in 1986
o Specific state laws were generally developed later
21
Following Legal Processes
◉ A criminal investigation usually begins when someone finds
evidence of or witnesses a crime
o Witness or victim makes an allegation to the police
◉ Police interview the complainant and writes a report about
the crime
◉ Report is processed and management decides to start an
investigation or log the information in a police blotter
o Blotter is a historical database of previous crimes
22
Canada Criminal Court Procedure
Complaint
Accused
Arrest
Release
Charge
Convicted
First Appearance
Assignment
(Preliminary)
Trial
Sentencing
Offender
Appeal
23
Following Legal Processes
◉ Digital Evidence First Responder (DEFR)
o Arrives on an incident scene, assesses the situation,
and takes precautions to acquire and preserve
evidence
◉ Digital Evidence Specialist (DES)
o Has the skill to analyze the data and determine when
another specialist should be called in to assist
◉ Affidavit-a sworn statement of support of facts about or
evidence of a crime
o Must include exhibits that support the allegation
24
Understanding Private-Sector Investigations
◉ Private-sector investigations involve private companies
and lawyers who address company policy violations and
litigation disputes
o Example: wrongful termination
◉ Businesses strive to minimize or eliminate litigation
◉ Private-sector crimes can involve:
o E-mail harassment, falsification of data, gender and
age discrimination, embezzlement, sabotage, and
industrial espionage
25
Understanding Private-Sector Investigations
◉ Businesses are advised to specify an authorized requester
who has the power to initiate investigations
◉ Examples of groups with authority
o
o
o
o
o
Corporate security investigations
Corporate ethics office
Corporate equal employment opportunity office
Internal auditing
The general counsel or legal department
26
Understanding Private-Sector Investigations
◉ During private investigations, you search for evidence to
support allegations of violations of a company’s rules or an
attack on its assets
◉ Three types of situations are common:
o Abuse or misuse of computing assets
o E-mail abuse
o Internet abuse
◉ A private-sector investigator’s job is to minimize risk to the
company
27
Understanding Private-Sector Investigations
◉ The distinction between personal and company computer
property can be difficult with cell phones, smartphones,
personal notebooks, and tablet computers
◉ Bring your own device (BYOD) environment
o Some companies state that if you connect a personal
device to the business network, it falls under the same
rules as company property
28
Maintaining Professional Conduct
◉ Professional conduct includes ethics, morals, and
standards of behavior
◉ An investigator must exhibit the highest level of
professional behavior at all times
o Maintain objectivity
o Maintain credibility by maintaining confidentiality
◉ Investigators should also attend training to stay current
with the latest technical changes in computer hardware
and software, networking, and forensic tools
29
PRACTICE
30
Signature Analysis
1.
2.
TRID for test-sample1
TRID for test-sample2
31
Data Carving
1.
One of data recovery technique
32
Chain of Custody
1.
2.
3.
4.
5.
6.
Collection starts at 7:30 PM, May 25 2021
FTK Imager 4.3.0.18
E01 format
Timezone : UTC-8
Evidence Number: D02102003A
Storage Number: D02101M01
1N2BF3
33
Chain of Custody
Dell OptiPlex 9030
You take forensic image of HDD on Dell
OptiPlex9030.
1.
Evidence Number: D04202003A
2.
Storage Number: D04201M01
3.
Transit to NYIT Forensic Lab (in-charge, Tom)
34
Appearance Notice
An appearance notice is generally given by police to an accused who has not been arrested on a minor
criminal offence. It compels the accused to appear before a court on a specific date. If the accused does not
appear, the court can issue a warrant for his/her arrest.
Promise to Appear
A promise to appear is sometimes given to an accused that has been arrested and released by the police. It
is a personal guarantee to come to court on the date specified. If an arrested person is not released by the
police, there must be a bail hearing before the court within 24 hours to determine whether the person will
remain in custody pending his or her trial.
A recognizance is one form of interim release and is completed by either promising to pay money or
depositing money or other valuable security with the court. Then the defendant will be released pending a
trial or appeal but has an order to appear. If the defendant does not appear, the money promised is due or
the money or security deposited are subject to forfeiture, and an arrest warrant will be issued. When an
accused is charged with a serious crime, or is considered a flight risk or is likely to re-offend, an order for
secure custody will detain the accused in a correctional centre until trial.
Police Report to Crown
The police prepare a report detailing all the evidence they have collected and based on that report, Crown
counsel decides whether criminal charges are appropriate.
Information or Indictment
An information or an indictment is used to charge the accused with the crime. An information is sworn and
signed by a peace officer who knows the case and swears that there are reasonable grounds to believe an
offence has been committed. An Indictment is the charging document used in Supreme Court and is signed
by Crown counsel.
In Canada there are three types of criminal offences: summary conviction, indictable and dual (hybrid)
offences. An example of a summary conviction offence is trespassing by night. An example of an indictable
offence is armed robbery. An example of a dual (hybrid) offence is assault. For hybrid offences, the Crown
chooses whether to proceed summarily or by indictment and for the application of all further procedural
rules, the offence is deemed to be the type of offence the Crown has chosen.
Form of Trial
When an accused is charged with an indictable offence, in most cases they have a right to choose between
three forms of trial: to be tried by a Provincial Court judge, or by a Supreme Court judge alone or by a
Supreme Court judge with a jury. This is called an election. In some serious cases like murder, the trial must
be by judge and jury, unless both the Crown and the accused consent to a trial by a Supreme Court judge
alone.
First Appearance
The first appearance is where an accused or his or her lawyer (counsel), makes their election (if required),
enters a plea to the charge(s) and/or asks for time to retain counsel. The issue of whether or not an
accused can be released on bail pending trial is often decided at the first appearance. It may take time for
the accused and counsel to decide what to do about the charge so there may be a number of appearances.
If the accused decides to plead guilty, sentencing may be done on a different date because a pre-sentence
report may have to be prepared by a probation officer. If the accused pleads not guilty then a date for the
trial or preliminary hearing is set depending on the type of offence.
Preliminary Hearing or Inquiry
If an accused is charged with an indictable offence and has elected a trial by other than the Provincial
Court, a preliminary hearing is held where the Crown must present sufficient evidence to commit the
accused for trial. This allows the court an opportunity to determine whether the charges against the
accused are valid. The preliminary inquiry is held in Provincial Court. The accused does not have to present
evidence at this time because the burden is on the Crown to establish they can convict on the evidence.
The Trial
The judge is the sole arbitrator of the law as it applies to each case and its facts but also provides a
judgment in non-jury trials. The court clerk is in charge of all exhibits, physical evidence, court files and the
recording of the proceedings during any type of court hearing. The sheriff manages courtroom security and
escorts the accused to and from court if he or she is being held in jail during the trial. Not all persons
accused of serious crimes are held in custody prior to trial.
Prosecutors in Canada represent the people through the “Crown” — a term we use because our Head of
State is the Queen. The state charges the accused and is referred to as Crown Counsel/Prosecutor.
Defence counsel is the lawyer for the accused in a criminal trial.
In a criminal matter, the onus is on the Crown to prove the case beyond a reasonable doubt. The judge or
jurors must consider all the evidence to decide if it convinces them beyond a reasonable doubt of the guilt
of the accused.
When a criminal case is brought to court and if the accused might go to jail for a term of five years or more
then the accused has the opportunity to choose to have either a trial by judge alone or a trial by a judge
and jury. The jury will consist of 12 members.
At the end of the trial, when both sides have stated their cases, a verdict will be reached. The verdict is the
decision made about whether or not the accused person is guilty in a criminal trial. In a criminal trial with a
jury this verdict must be unanimous. If the jury cannot reach a unanimous verdict it is called a "hung jury"
and a new trial must be held.
Appeal
In the BC Court of Appeal there are usually only three judges sitting on an appeal unless the court is being
asked to overturn one of its own decisions. In that case five judges would hear the appeal.
INCS712 Lecture5
COMPUTER
FORENSICS
Forensic Acquisition
2
Understanding Image Formats for Digital
Evidence
◉ Data in a forensics acquisition tool is stored as an image file
◉ Three formats
o Raw format
o Proprietary formats
o Advanced Forensics Format (AFF)
Raw Format
◉ Makes it possible to write bit-stream data to files
◉ Advantages
o Fast data transfers
o Ignores minor data read errors on source drive
o Most computer forensics tools can read raw format
◉ Disadvantages
o Requires as much storage as original disk or data
o Tools might not collect marginal (bad) sectors
◉ dd, dmg, img, raw
Proprietary Formats
◉ Most forensics tools have their own formats
◉ Features offered
o Option to compress or not compress image files
o Can split an image into smaller segmented files
o Can integrate metadata into the image file
◉ Disadvantages
o Inability to share an image between different tools
◉ E01, AD1, UFDR
Advanced Forensics Format
◉ Developed by Dr. Simson L. Garfinkel as an open-source
acquisition format
◉ Design goals
o Provide compressed or uncompressed image files
o No size restriction for disk-to-image files
o Provide space in the image file or segmented files for
metadata
o Simple design with extensibility
o Open source for multiple platforms and Oss
▪ Internal consistency checks for self-authentication
◉ AFF
Understanding Bit-Stream Copies
◉ Bit-stream copy (Single Capture or Mirror)
o
o
o
o
o
Bit-by-bit copy of the original storage medium
Exact copy of the original disk
Different from a simple backup copy
Backup software only copy known files
Backup software cannot copy deleted files, e-mail
messages or recover file fragments
◉ Bit-stream image
o File containing the bit-stream copy of all data on a disk
or partition
o Also known as “image” or “image file”
Understanding Bit-Stream Copies
◉ Copy image file to a target disk that matches the original
disk’s manufacturer, size and model
Creating an image
transfers each bit of
data from the original
disk to the same spot
on the target disk
Original Disk
Target Disk
Acquiring an Image of Evidence Media
◉ First rule of computer forensics
o Preserve the original evidence
◉ Conduct your analysis only on a copy of the data
◉ Several vendors provide MS-DOS, Linux, and Windows
acquisition tools
o Windows tools require a write-blocking device when
acquiring data from FAT or NTFS file systems
◉ https://www.youtube.com/watch?v=I-yUf7FwiLQ
Determining the Best Acquisition Method (1 of 4)
◉ Types of acquisitions
o Static acquisitions and live acquisitions
◉ Four methods of data collection
o Creating a disk-to-image file
o Creating a disk-to-disk
o Creating a logical disk-to-disk or disk-to-data file
o Creating a sparse data copy of a file or folder
◉ Determining the best method depends on the
circumstances of the investigation
Determining the Best Acquisition Method (2 of 4)
◉ Creating a disk-to-image file
o Most common method and offers most flexibility
o Can make more than one copy
o Copies are bit-for-bit replications of the original drive
o Compatible with many commercial forensic tools
◉ Creating a disk-to-disk
o When disk-to-image copy is not possible
o Tools can adjust disk’s configuration
o Tools: EnCase and X-Ways
Determining the Best Acquisition Method (3 of 4)
◉ Logical acquisition or sparse acquisition
o Can take several hours; use when your time is limited
o Logical acquisition captures only specific files of
interest to the case
o Sparse acquisition collects fragments of unallocated
(deleted) data
o For large disks
o PST or OST mail files, RAID servers
Determining the Best Acquisition Method (4 of 4)
◉ When making a copy, consider:
o Size of the source disk
▪ Lossless compression might be useful
▪ Use digital signatures for verification
o When working with large drives, an alternative is using
lossless compression
o Whether you can retain the disk
o Time to perform the acquisition
o Where the evidence is located
Contingency Planning for Image Acquisitions
◉ Make at least two images of digital evidence
o Use different tools or techniques
◉ Create a duplicate copy of your evidence image file
◉ Copy host protected area of a disk drive as well
o Consider using a hardware acquisition tool that can
access the drive at the BIOS level
◉ Be prepared to deal with encrypted drives
o Whole disk encryption feature in Windows called
BitLocker makes static acquisitions more difficult
o May require user to provide decryption key
Acquiring Data with a Linux Bootable USB (1 of 4)
◉ Linux can access a drive that isn’t mounted
◉ Windows OSs and newer Linux automatically mount and
access a drive
◉ Forensic Linux Bootable USB don’t access media
automatically
o Which eliminates the need for a write-blocker
◉ Using Linux Bootable USB Distributions
o Forensic Linux Bootable USB
▪ Contain additionally utilities
Acquiring Data with a Linux Bootable USB (2 of 4)
◉ Using Linux Bootable USB Distributions (cont’d)
o Forensic Linux Bootable USB (cont’d)
▪ Configured not to mount, or to mount as read-only,
any connected storage media
▪ Well-designed Linux Bootable USB for computer
forensics
▪ Paladin
▪ CAINE
▪ Deft
▪ Knoppix
▪ SANS Investigative Forensic Toolkit (SIFT)
Acquiring Data with a Linux Bootable USB (3 of 4)
◉ Preparing a target drive for acquisition in Linux
◉ Current Linux distributions can create Microsoft FAT and
NTFS partition tables
◉ fdisk command lists, creates, deletes, and verifies
partitions in Linux
◉ mkfs.msdos command formats a FAT file system from
Linux
Acquiring Data with a Linux Bootable USB (4 of 4)
◉ Acquiring data with dd in Linux
◉ dd(“data dump”) command
o Can read and write from media device and data file
o Creates raw format file that most computer forensics
analysis tools can read
◉ Shortcomings of dd command
o Requires more advanced skills than average user
o Does not compress data
Validating Data Acquisitions
◉ Validating evidence may be the most critical aspect of
computer forensics
◉ Requires using a hashing algorithm utility
◉ Validation techniques
o MD5, and SHA-1 to SHA-512
Linux Validation Methods
◉ Validating dd-acquired data
o You can use md5sum or sha1sum utilities
o Md5sum or sha1sum utilities should be run on all
suspect disks and volumes or segmented volumes
Windows Validation Methods
◉ Windows has no built-in hashing algorithm tools for
computer forensics
o Third-party utilities can be used
◉ Commercial computer forensics programs also have builtin validation features
o Each program has its own validation technique
◉ Raw format image files don’t contain metadata
o Separate manual validation is recommended for all
raw acquisitions
RAID Data Acquisition
22
Performing RAID Data Acquisitions
◉ Acquisition of RAID drives can be challenging and
frustrating because of how RAID systems are
o Designed
o Configured
o Sized
◉ Size is the biggest concern
o Many RAID systems now have exabytes of data
Acquiring RAID Disks (1 of 2)
◉ Address the following concerns:
o
o
o
o
o
o
How much data storage is needed?
What type of RAID is used?
Do you need to have all drives connected?
Do you have the right acquisition tool?
Can the tool read a forensically copied RAID image?
Can the tool read split data saves of each RAID disk?
◉ Copying small RAID systems to one large disk is possible
Acquiring RAID Disks (2 of 2)
◉ Vendors offering RAID acquisition functions
o
o
o
o
o
Guidance Software EnCase
X-Ways Forensics
AccessData FTK
Runtime Software
R-Tools Technologies
◉ Occasionally, a RAID system is too large for a static
acquisition
o Retrieve only the data relevant to the investigation
with the sparse or logical acquisition method
Using Remote Network Acquisition Tools
◉ You can remotely connect to a suspect computer via a
network connection and copy data from it
◉ Remote acquisition tools vary in configurations and
capabilities
◉ Drawbacks
o Antivirus, antispyware, and firewall tools can be
configured to ignore remote access programs
o Suspects could easily install their own security tools
that trigger an alarm to notify them of remote access
intrusions
Remote Acquisition with EnCase Enterprise
◉ Remote acquisition features
o Search and collect internal and external network
systems over a wide geographical area
o Support multiple OSs and file systems
o Triage to help determine system’s relevance to an
investigation
o Perform simultaneous searches of up to five systems at
a time
Remote Acquisition with F-Response
◉ F-Response
o A vendor-neutral remote access utility
o Designed to work with any digital forensics program
o Sets up a security read-only connection
▪ Allows forensics examiners to access it
◉ Four different version of F-Response
o Enterprise Edition, Consultant + Convert Edition,
Consultant Edition, and TACTICAL Edition
PRACTICE
29
Forensic Imaging
Practice (Forensic Imaging by software)
1.
Install FTK Imager (https://accessdata.com/product-download/)
2.
Connect your source disk to your computer
3.
Connect the destination disk that stores the image files
4.
Open the imaging program
5.
FTK Imager – File –Create Disk Image – Physical Drive – Select Source Drive – Finish – Add –
Select Image Type – Raw(dd) – Evidence Item Information – Assign Destination folder– Image
Filename – Image Fragment Size (2,000) – Finish – Start
7.
Add Local Device – Next – Choose source drive – Finish – Click the drive – Acquire
– Insert information – OK
30
Mounting Image Files
Practice (Image mounting)
1.
Open FTK Imager
2.
Add Image – Select Image files
3.
Find assigned drive letter from Windows Explorer
31
Targeted Collection
Practice (Robocopy)
1.
Download Rococopy command file
2.
Refer to the Syntax of Robocopy at
https://technet.microsoft.com/en-us/library/cc733145(v=ws.11).aspx
3.
Make a new folder and copy some files from other folders to the new folder
4.
Using Robocopy, copy the new folder to your usb drive keeping same directory structure
and metadata
5.
Delete some files from your usb drive and copy back only the deleted files from original source
Reference
C:\Users\Joseph\Documents>robocopy “c:\Users\Joseph\Documents\new\”
“e:\collection\” /MIR /TEE /E /LOG:”e:\log.txt”
C:\Users\Joseph\Documents>robocopy “c:\Users\Joseph\Documents\new\” “e:\collection\”
/E /XC /XN /XO /LOG:”e:\log.txt”
32
INCS712 Lecture6
COMPUTER
FORENSICS
E-mail and Social Media
Investigations
2
Investigating E-mail Crimes and Violations (1 of 2)
◉ Similar to other types of investigations
◉ Goals
o Find who is behind the crime
o Collect the evidence
o Present your findings
o Build a case
◉ Know the applicable privacy laws for your jurisdiction
◉ E-mail crimes depend on the city, state, or country
o Example: spam may not be a crime in some states
o Always consult with an attorney
Investigating E-mail Crimes and Violations (2 of 2)
◉ Examples of crimes involving e-mails
o Narcotics trafficking
o Extortion
o Sexual harassment and stalking
o Fraud
o Child abductions and pornography
o Terrorism
Exploring the Role of E-mail in Investigations (1 of 2)
◉ An increase in e-mail scams and fraud attempts with
phishing or spoofing
o Phishing e-mails contain links to text on a Web
page
▪ Attempts to get personal information from
reader
o Email Spoofing contains altered parts by someone
else
▪ To get you to trust them
▪ Will take additional steps like following a link
◉ Investigators need to know how to examine and
interpret the unique content of e-mail messages
Exploring the Role of E-mail in Investigations (2 of 2)
◉ Spoofing e-mail can be used to commit fraud
◉ Investigators can use the Enhanced/Extended Simple
Mail Transfer Protocol (ESMTP)number in the
message’s header to check for legitimacy of email
Exploring the Roles of the Client and Server in Email (1 of 3)
◉ E-mail can be sent and received in two environments
o Internet
o Intranet (an internal network)
◉ Client/server architecture
o Server OS and e-mail software differs from those
on the client side
◉ Protected accounts
o Require usernames and passwords
Exploring the Roles of the Client and Server in Email (2 of 3)
Exploring the Roles of the Client and Server in Email (3 of 3)
◉ Name conventions
o Corporate: john.smith@telus.com
o Public: whatever@gmail.com
o Everything after @ belongs to the domain name
◉ Tracing corporate e-mails is easier
o Because accounts use standard names the
administrator establishes
Examining E-mail Messages (1 of 2)
◉ Access victim’s computer or mobile device to recover
the evidence
◉ Using the victim’s e-mail client
o Find and copy any potential evidence
o Access protected or encrypted material
◉ Guide victim on the phone
o Open and copy e-mail including headers
◉ You may have to recover deleted e-mails
Examining E-mail Messages (2 of 2)
◉ Copying an e-mail message
o Before you start an e-mail investigation
▪ You need to copy and print the e-mail involved
in the crime or policy violation
o You might also want to forward the message as an
attachment to another e-mail address
◉ With many GUI e-mail programs, you can copy an e-
mail by dragging it to a storage medium
o Or by saving it in a different location
Viewing E-mail Headers (1 of 5)
◉ Investigators should learn how to find e-mail headers
o GUI clients
o Web-based clients
◉ After you open e-mail headers, copy and paste them
into a text document
o So that you can read them with a text editor
◉ Become familiar with as many e-mail programs as
possible
o Often more than one e-mail program is installed
Viewing E-mail Headers (2 of 5)
◉ Outlook
o Double-click the message and then click File,
Properties
o Copy headers
o Paste them to any text editor
o Save the document as Outlook header.txt in your
work folder
Viewing E-mail Headers (3 of 5)
Viewing E-mail Headers (4 of 5)
◉ Gmail
o Click the down arrow next to the Reply circular arrow,
and click Show original
o Click Download Original link to open the “Opening
original_msg.txt” dialog box
o Click Open with Notepad (default)and click Okay
o Save the file in your work folder with the default name
◉ Yahoo
o Click Inbox to view a list of messages
o Above the message window, click More and click View
Raw Message
o Copy and paste headers to a text file
Viewing E-mail Headers (5 of 5)
Examining E-mail Headers (1 of 2)
◉ Headers contain useful information
o The main piece of information you’re looking for
is the originating e-mail’s IP address
o Date and time the message was sent
o Filenames of any attachments
o Unique message number (if supplied)
Examining E-mail Headers (2 of 2)
Examining Additional E-mail Files
◉ E-mail messages are saved on the client side or left at
the server
◉ Microsoft Outlook uses .pst and .ost files
◉ Most e-mail programs also include an electronic
address book, calendar, task list, and memos
◉ In Web-based e-mail
o Messages are displayed and saved as Web pages
in the browser’s cache folders
o Many Web-based e-mail providers also offer
instant messaging (IM) services
Tracing an E-mail Message
◉ Determining message origin is referred to as “tracing”
◉ Contact the administrator responsible for the sending
server
◉ Use a registry site to find point of contact:
o www.arin.net
o www.internic.com
o www.google.com
◉ Verify your findings by checking network e-mail logs
against e-mail addresses
Using Network E-mail Logs (1 of 2)
◉ Router logs
o Record all incoming and outgoing traffic
o Have rules to allow or disallow traffic
o You can resolve the path a transmitted e-mail has
taken
◉ Firewall logs
o Filter e-mail traffic
o Verify whether the e-mail passed through
◉ You can use any text editor or specialized tools
Using Network E-mail Logs (2 of 2)
Understanding E-mail Servers (1 of 2)
◉ An e-mail server is loaded with software that uses e-mail
protocols for its services
o And maintains logs you can examine and use in your
investigation
◉ E-mail storage
o Database
o Flat file system
◉ Logs
o Some servers are set up to log e-mail transactions by
default; others have to be configured to do so
Understanding E-mail Servers (2 of 2)
◉ E-mail logs generally identify the following:
o
o
o
o
o
E-mail messages an account received
Sending IP address
Receiving and reading date and time
E-mail content
System-specific information
◉ Contact suspect’s network e-mail administrator as soon as
possible
◉ Servers can recover deleted e-mails
o Similar to deletion of files on a hard drive
Examining Microsoft E-mail Server Logs (1 of 4)
◉ Microsoft Exchange Server (Exchange)
o Uses a database
o Based on Microsoft Extensible Storage Engine (ESE)
◉ Most useful files in an investigation:
o .edb database files, checkpoint files, and temporary
files
◉ Information Store files
o Database files *.edb
▪ Responsible for MAPI information
▪ Messaging Application Programming Interface
(MAPI) is a messaging architecture and a
Component Object Model based API for Microsoft
Windows.
Examining Microsoft E-mail Server Logs (2 of 4)
◉ Transaction logs
o Keep track of changes to its data
◉ Checkpoints
o Marks the last point at which the database was
written to disk
◉ Temporary files
o Created to prevent loss when the server is busy
converting binary data to readable text
Examining Microsoft E-mail Server Logs (3 of 4)
◉ To retrieve log files created by Exchange
o Use the Windows PowerShell cmdlet Get
TransactionLogStats.ps1 -Gather
◉ Tracking.log
o An Exchange server log that tracks messages
◉ Another log used for investigating the Exchange
environment is the troubleshooting log
o Use Windows Event Viewer to read the log
Examining Microsoft E-mail Server Logs (4 of 4)
Using Specialized E-mail Forensics Tools (1 of 3)
◉ Tools include:
o
o
o
o
o
o
o
o
o
o
DataNumen for Outlook and Outlook Express
FINALeMAIL for Outlook Express and Eudora
Sawmill-Novell GroupWise for log analysis
MailXaminer for multiple e-mail formats and large data
sets
Fookes Aid4Mail and MailBag Assistant
Paraben E-Mail Examiner
AccessData FTK for Outlook and Outlook Express
Ontrack Easy Recovery EmailRepair
R-Tools R-Mail
OfficeRecovery’s MailRecovery
Using Specialized E-mail Forensics Tools (2 of 3)
◉ Tools allow you to find:
o
o
o
o
E-mail database files
Personal e-mail files
Offline storage files
Log files
Using Specialized E-mail Forensics Tools (3 of 3)
◉ After you compare e-mail logs with messages, you should
verify the:
o Email account, message ID, IP address, date and time
stamp to determine whether there’s enough evidence
for a warrant
◉ With some tools
o You can scan e-mail database files on a suspect’s
Windows computer, locate any e-mails the suspect has
deleted and restore them to their original state
Repairing Outlook Files
◉ A forensics examiner recovering e-mail messages
from Outlook
o May need to reconstruct .pst files and messages
◉ With many advanced forensics tools
o Deleted .pst files can be partially or completely
recovered
◉ Scanpst.exe recovery tool
o Comes with Microsoft Office
o Can repair .ost files as well as .pst files
PRACTICE
35
Evtx Log Analysis
36