INCS712 Lecture 1 COMPUTER FORENSICS Course Outline Reference Books Instructor 1. Brian Carrier, “File System Forensic Analysis,” Addison-Wesley Professional; Edition 1, March 27, 2005.ISBN-10: 0321268172; ISBN-13: 978-03212681. 2. Sherri Davidoff and Jonathan Ham, “Network Forensics: Tracking Hackers through Cyberspace,” Edition 1, Prentice Hall; June 18, 2012. 3. Harlan Carvey, “Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8”, Edition 4, Syngress, ISBN-10:9780124171572 4. Bill Nelson, Amelia Phillips, Christopher Steuart, Guide to Computer Forensics and Investigations Processing Digital Evidence. JUSEOP LIM (jlim10@nyit.edu) ❑ Senior Digital Forensic Examiner ❑ Certified Forensic Examiner ❑ Certified eDiscovery Specialist ❑ Master of INCS (NYIT) 2018 ❑ Master of Forensic Computing (CUNY) 2008 ❑ Prosecutor’s Office – Computer Crime Lab (2008) ❑ Deloitte / Fronteo / DFIFORENSICS Teaching Assistant ❑ Xuemin Zang(xzang01@nyit.edu) Class Participation & Discussions Projects and Assignments Midterm Exam Final Exam 10% 30% 30% 30% 2 “ ▪ Don’t be late for classes or exams ▪ Required to attend at least 50% of class ▪ Plagiarism or Cheating is not acceptable 3 What is Computer Forensics 4 Forensics ◉ Derived from Latin term ‘forensis’ which means a public debate or discussion, forensics in the modern sense implies courts of law ◉ Forensic science is the application of science and scientific method to the judicial system. ◉ Forensic scientist will be analyzing and interpreting evidence, and challenged in court while providing expert witness testimony. ◉ Toxicology (study of alcohol and drugs) / Serology (study of blood and other biological fluids) /Questioned document examination (examination of documents, handwriting comparison, study of inks, typewriter imprints, counterfeiting etc.) / Chemistry / Firearms identification and ballistics (study of marks and striations on bullets) / Hair and fibre analysis 5 Digital Forensics ◉ The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation. 6 Digital Forensics Digital Forensic Incident Response Computer Forensic Mobile Forensic Network Forensic DB Forensic Software Forensic 7 Digital Forensics Enron Scandal (2001) Unethical practices that the company use accounting limitations to misrepresent earnings and modify the balance sheet to indicate favorable performance ▪ Bankruptcy ▪ Shareholders lost $74 billion ▪ Sarbanes-Oxley Act ▪ Damage to Arthur Andersen FBI Investigation launched Processed 31 terabytes of data that included 2,300 pieces of evidence, 600 employee emails, 130 computers, 10 million pages of documents, more than 3,000 outlook email boxes and 4,500 lotus notes email boxes. It should be pointed out that a terabyte is equivalent to 250 million pages of text. 8 Enron Investigation Past adjusted Earning Statement File Recovery Profit Margins File fragments Backup Systems Pay Inventory Stock Option Home PC / Cellphone Hard drives Financial Papers Auditors journal entries Invest Holdings Law firms Bank Records Mining for Evidence Enron Scandal 9 What is Computer Forensics? ◉ Computer Forensics : Determining the past actions that have taken place on a computer system using computer forensic techniques. ◉ The collection, preservation, analysis and presentation of computer-related evidence. 10 What is the Purpose of Computer Forensics? ◉ Computer Forensics retrieve information even if it has been altered or erased to be used in the pursuit of an attacker or a criminal. ◉ uses technologies to search for digital evidence of a crime. 11 Typical Investigations ◉ Trade Secret Leakage, Data Breach ◉ Employee Harassment (Power/Sexual)/Discrimination ◉ Fraud (Embezzlement / Kickback / Rebate) ◉ Criminal Cases (Child Pornography / Homicide / Drugs) ◉ Regulations / Compliance (Antitrust/FCPA / SOX / UK Bribery / AML) ◉ Identity Theft ◉ eDiscovery 12 Media Devices with Potential Data ◉ Desktop and laptop computer ◉ iPads, iPods, etc. ◉ Smartphones and most other cell phones ◉ MP3 music players, CD-ROMs & DVDs ◉ Digital Cameras, Dash cam ◉ USB Memory Devices, Memory cards ◉ Backup Tapes ◉ Server and Network Devices ◉ Cloud and Social Media 13 Computer Forensic Capabilities ◉ Recover deleted files ◉ Identify what external devices were attached to and who accessed them ◉ Determine what programs were running ◉ Recover webpages ◉ Recover emails and users who read them ◉ Recover chat logs ◉ Determine file servers used ◉ Discover document’s hidden history ◉ Recover phone records and SMS text messages from mobile devices ◉ Find malware and data collected ◉ ……………………. 14 Who uses Computer Forensics? ◉ Public sector - Law Enforcement ◉ Private sector - Computer Forensic Organizations ◉ Military ◉ Computer Security and IT Professionals ◉ Audit firms 15 Law Enforcement ◉ Local, State and Federal levels ◉ Detectives at local levels ◉ State or provincial police ◉ FBI’s Computer Analysis and Response Team (CART) ◉ Regional Computer Forensics Laboratories (RCFLs) ◉ RCMP / VPD ◉ Canada Revenue Agency ◉ British Columbia Securities Commission ◉ Canadian Security Intelligence Service ◉ Independent Investigations Office of BC ◉ Communications Security Establishment 16 Computer Forensic Organizations ◉ The Centre of Forensic Sciences ◉ Computer Forensics Associates ◉ Advanced Forensic Recovery of Electronic Data ◉ New York Computer Forensic Services ◉ DFI Forensics / e-Forensics /ReStoringData ◉ Deloitte / MT3 / Envista / MNP / Cytelligence 17 Military ◉ Test, identify, and gather evidence in the field o Specialized training in imaging and identifying multiple sources of electronic evidence ◉ Analyze the evidence for rapid intelligence gathering and responding to security breach incidents o Desktop and server forensic techniques 18 Cybersecurity related ◉ Forensics investigators often work as part of a team to make computers and networks secure, known as the investigation triad. 19 Cybersecurity related ◉ Vulnerability/threat assessment and risk management o Tests and verifies the integrity of stand-alone workstations and network servers ◉ Network intrusion detection and incident response o Detects intruder attacks by using automated tools and monitoring network firewall logs ◉ Digital investigations o Manages investigations and conducts forensics analysis of systems suspected of containing evidence 20 Developing Digital Forensics Resources ◉ To supplement your knowledge: o Search the internet to find related organizations, companies, and rules and regulations. o Develop and maintain contact with computing, network, and investigative professionals. o Follow and/or join computer user groups in both the public and private sectors. ◉ Example: Forensicfocus.com forum or Digital Forensics discord channel or Free webinar by industry leader 21 Crime and Forensic Investigation 22 Crime and Computer Forensics ◉ Computers can contain information that helps law enforcement determine o Chain of events leading to a crime o Evidence that can lead to a conviction ◉ Information might be protected or encrypted so forensics tools may be necessary in your investigation ◉ Law enforcement should follow proper procedure when acquiring evidence o Digital evidence can be easily altered by an overeager investigator 23 Taking a Systematic Approach (Risk mitigation) ◉ Identify the risks ◉ Mitigate or minimize the risks ◉ Test the design ◉ Analyze and recover the digital evidence ◉ Investigate the data you recover ◉ Complete the case report ◉ Critique the case 24 Taking a Systematic Approach (Typical procedure) ◉ Make an initial assessment about the type of case you are investigating ◉ Determine a preliminary design or approach to the case ◉ Create a detailed checklist ◉ Determine the resources you need ◉ Obtain and copy an evidence drive 25 Assessing the Case ◉ Systematically outline the case details o o o o o o Situation Nature of the case Specifics of the case Type of evidence Known disk format Location of evidence ◉ Based on these details, you can determine the case requirements 26 Planning Your Investigation ◉ A basic investigation plan should include the following activities: o Acquire the evidence o Complete an evidence form and establish a chain of custody o Transport the evidence to a computer forensics lab o Secure evidence in an approved secure container o Prepare your forensics workstation o Retrieve the evidence from the secure container o Make a forensic copy of the evidence o Return the evidence to the secure container o Process the copied evidence with computer forensics tools 27 Documenting Your Investigation ◉ An evidence custody form helps you document what has been done with the original evidence and its forensics copies o Also called a chain-of-evidence form ◉ Two types o Single-evidence form ▪ Lists each piece of evidence on a separate page o Multi-evidence form 28 Documenting Your Investigation 29 Securing Your Evidence ◉ Use evidence bags to secure and catalog the evidence ◉ Use computer safe products when collecting computer evidence o Antistatic bags o Antistatic pads ◉ Use well padded containers ◉ Use evidence tape to seal all openings o CD drive bays o Insertion slots for power supply electrical cords and USB cables 30 Securing Your Evidence ◉ Write your initials on tape to prove that evidence has not been tampered with ◉ Consider computer specific temperature and humidity ranges o Make sure you have a safe environment for transporting and storing it until a secure evidence container is available 31 PRACTICE 32 Understanding of Storages (1/4 ) ◎ Type of Disk Drive 1. HDD (Hard Disk Drive) a) b) c) d) IDE(PATA) SATA SCSI SAS SCSI drive SAS drive 33 Understanding of Storages (2/4) ◎ Type of Disk Drive 2. SSD (Solid State Drive) a) M.2(NVMe) b) M.2(NGFF) c) mSATA M.2(NGFF) M.2 (NVMe) mSATA 34 Understanding of Storages (3/4) ◎ Type of Disk Drive 3. USB (Universal Serial Bus) 35 Understanding of Storages (4/4) ◎ Type of Disk Drive 4. RAID 36 Why do we need to understand the types of storage? ◎ Extraction of data from storage requires o power supply and data cable connection o proper interface 37 Why do we need to understand the types of storage? ◎ Extraction of data from storage requires o power supply and data cable connection o proper interface 38 Why do we need to understand the types of storage? ◎ Normally carry Gender or Adapter 39 Storage Information ◎ Information to be recorded 40 INCS712 Lecture2 COMPUTER FORENSICS Common types of Investigation 2 Internet Abuse Investigations ◉ Internet abuse case o Improper use of the internet ▪ Cyber-crime ▪ Cyber-bullying ▪ Malware ◉ To conduct an investigation you need: o o o o Organization’s Internet proxy server logs Suspect computer’s IP address Suspect computer’s disk drive Your preferred computer forensics analysis tool 3 Internet Abuse Investigations ◉ Recommended steps: o Use standard forensic analysis techniques and procedures o Use appropriate tools to extract all Web page URL information o Contact the network firewall administrator and request a proxy server log o Compare the data recovered from forensic analysis to the proxy server log o Continue analyzing the computer’s disk drive data 4 E-mail Abuse Investigations ◉ E-mail abuse o Unsolicited sending of spam, third party advertisements, derogatory language, slander, and threats via email ◉ To conduct investigation, you need:: o An electronic copy of the offending e-mail that contains message header data o If available, e-mail server log records o For e-mail systems that store users’ messages on a central server, access to the server o Access to the computer so that you can perform a forensic analysis on it o Your preferred computer forensics analysis tool 5 E-mail Abuse Investigations ◉ Recommended steps: o Use the standard forensic analysis techniques o Obtain an electronic copy of the suspect’s and victim’s e-mail folder or data o For Web-based e-mail investigations, use tools such as FTK’s Internet Keyword Search option to extract all related e-mail address information o Examine header data of all messages of interest to the investigation 6 Trade Secret Leakage Investigations ◉ All suspected industrial espionage cases should be treated as criminal investigations ◉ Staff needed o Computing investigator who is responsible for disk forensic examinations o Technology specialist who is knowledgeable of the suspected compromised technical data o Network specialist who can perform log analysis and set up network sniffers o Threat assessment specialist (typically an attorney) 7 Trade Secret Leakage Investigations ◉ Guidelines when initiating an investigation o Determine whether this investigation involves a possible industrial espionage incident o Consult with corporate attorneys and upper management o Determine what information is needed to substantiate the allegation o Generate a list of keywords for disk forensics and sniffer monitoring o List and collect resources for the investigation 8 Trade Secret Leakage Investigations ◉ Guidelines (cont’d) o Determine goal and scope of the investigation o Initiate investigation after approval from management ◉ Planning considerations Examine all e-mail of suspected employees Search Internet newsgroups or message boards Initiate physical surveillance Examine facility physical access logs for sensitive areas Determine suspect location in relation to the vulnerable asset o Study the suspect’s work habits o Collect all incoming and outgoing phone logs o o o o o 9 Trade Secret Leakage Investigations ◉ Steps to conducting an industrial espionage case o Gather all personnel assigned to the investigation and brief them on the plan o Gather resources to conduct the investigation o Place surveillance systems at key locations o Discreetly gather any additional evidence o Collect all log data from networks and e-mail servers o Report regularly to management and corporate attorneys o Review the investigation’s scope with management and corporate attorneys 10 Forensic Fundamental 11 Digital Forensics ◉ The scientific examination and analysis of digital evidence in such a way that the information can be used as evidence in a court of law. ◉ Includes: o o o o o Network Mobile DB Computer Code Analysis 12 Digital Forensic Activities ◉ Digital forensics activities commonly include: o The secure collection of computer data o The identification of suspect data o The examination of suspect data to determine details such as origin and content o The presentation of computer-based information to courts of law 13 The 3 As ◉ The basic methodology consists of the 3 As: o Acquire the evidence without altering or damaging the original o Authenticate the image o Analyze the data without modifying it 14 Crime Scenes ◉ Physical Crime Scenes vs. Cyber/Digital Crime Scenes ◉ Overlapping principles and fundamentals ◉ The basics of criminalistics are constant across both physical and digital ◉ Locard’s Exchange Principle applies o “When a person commits a crime something is always left at the scene of the crime that was not present when the person arrived” 15 Digital Crime Scene ◉ Digital Crime Scene o The electronic environment where digital evidence can potentially exist (Rogers, 2005) o Primary & Secondary Digital Scene(s) as well ◉ Digital Evidence o Digital data that establish that a crime has been committed, can provide a link between a crime and its victim, or can provide a link between a crime and the perpetrator (Carrier & Spafford, 2003) 16 Forensic Principles ◉ Digital/ Electronic evidence is extremely volatile! ◉ Once the evidence is contaminated it cannot be decontaminated! ◉ The courts acceptance is based on the best evidence principle o With computer data, printouts or other output readable by sight, and bit stream copies adhere to this principle. ◉ Best Evidence Rule : a rule of evidence that requires an original document, photograph, or other piece of evidence be introduced to the court to prove the contents of that same item. o ensure the court receives unaltered evidence that is legible, or clearly perceivable in the case of video and audio recordings. ◉ Chain of Custody is crucial 17 Digital Forensic Principles ◉ The 6 Principles are: 1. When dealing with digital evidence, all of the general forensic and procedural principles must be applied. 2. Upon seizing digital evidence, actions taken should not change that evidence. 3. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. 4. All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review. 5. An Individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession. 6. Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles. 18 PRACTICE 19 Metadata 1. Metadata includes what? 2. File System meta vs Application meta 3. What changes metadata? Practice (metadata extraction by Exiftool) 1. Make a MS word file and type some words. 2. Save and quit. 3. Open Windows Explorer and go to the file’s properties 4. Open CMD and type ‘exiftool(-k).exe wordfilename’ (exiftool : https://exiftool.org/) 20 Metadata 21 Metadata Practice (metadata gathering by FTK Imager) 1. Install and open FTK Imager 2. File – Add all attached devices 3. Right click on C drive – Export directory listing – Save a file (FTK Imager : https://accessdata.com/product-download/ftk-imager-version-4-3-0) 22 ❑ M - Data Content Change Time Time the data content of a file was last modified ❑ A - Data Last Access Time Approximate Time when the file data was last accessed ❑ C - Metadata Change Time Time this MFT record was last modified ❑ B - Metadata Create Time Time file was created in the volume 23 Metadata Practice (File copy) 1. Copy the word file and paste under another folder 2. Check metadata of copied file 3. Make a folder, and copy and paste to another location 4. Check metadata of the folder 5. Create a new file under the folder 6. Check metadata of the folder Source (http://www.forensicswiki.org/wiki/MAC_times) 24 Time Stomping (Anti-Forensic Skill) Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. You can find more details from https://www.offensive-security.com/metasploit-unleashed/timestomp/ Source (http://www.forensicswiki.org/wiki/MAC_times) 25 Hash Value & File Signature Hash Value • Type – MD5, SHA-1, SHA-256 • Use – Integrity check • Target – Disk, File, Character… Target Data Hash Algorithm Source (http://www.forensicswiki.org/wiki/MAC_times) Hash Value 128-bit d41d8cd98f00b204e9800998ecf8427e 26 Hash Value & File Signature Practice (Hash value calculated by HashMyFiles) 1. Install HashMyFiles (http://www.nirsoft.net/utils/hash_my_files.html) 2. Create a text file with notepad 3. Type anything on the file 4. Open HashMyFiles – Add file – Choose the created file 5. Make a copy of the file, and follow step 4 to the new copy 6. Make one more copy of the file, and type 1 space then save 7. Follow step 4 to the modified file Source (http://www.forensicswiki.org/wiki/MAC_times) 27 $ S T A N D A R D _ I N F O R M A T I O N File Creation File Access File Modification File Rename File Copy Local File Move Volume File Move Volume File Move File Deletion Modified – Time of File Creation Modified – No Change Modified – Time of Data Modification Modified – No Change Modified – Inherited from Original Modified – No Change Modified – Inherited from Original Modified – Inherited from Original Modified – No Change Access – No Change Access – No Change Access – Time of File Copy Access – No Change Access – Time of File Move via CLI Access – Time of Cut/Paste Access – No Change Access – Time of Access Access – Time of File Creation Windows Forensic Analysis You Can’t Protect What You Don’t Know About digital-forensics.sans.org $25.00 DFPS_FOR500_v4.9_4-19 Poster Created by Rob Lee with support of the SANS DFIR Faculty ©2019 Rob Lee. All Rights Reserved. Windows Artifact Analysis: Evidence of... XP: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU Win7/8/10: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU Interpretation • The “*” key – This subkey tracks the most recent files of any extension input in an OpenSave dialog • .??? (Three letter extension) – This subkey stores file info from the OpenSave dialog by specific extension Email Attachments Description The email industry estimates that 80% of email data is stored via attachments. Email standards only allow text. Attachments must be encoded with MIME/base64 format. Location UserAssist Description GUI-based programs launched from the desktop are tracked in the launcher on a Windows System. Location NTUSER.DAT HIVE: NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\ {GUID}\Count Interpretation All values are ROT-13 Encoded •G UID for XP - 7 5048700 Active Desktop •G UID for Win7/8/10 - C EBFF5CD Executable File Execution - F 4E57C4B Shortcut File Execution Windows 10 Timeline Description Win10 records recently used applications and files in a “timeline” accessible via the “WIN+TAB” key. The data is recorded in a SQLite database. C:\Users\<profile>\AppData\Local\ConnectedDevices Platform\L.<profile>\ActivitiesCache.db %USERPROFILE%\Local Settings\ApplicationData\Microsoft\Outlook Interpretation Win7/8/10: %USERPROFILE%\AppData\Local\Microsoft\Outlook •A pplication execution • Focus count per application Interpretation MS Outlook data files found in these locations include OST and PST files. One should also check the OLK and Content.Outlook folder, which might roam depending on the specific version of Outlook used. For more information on where to find the OLK folder this link has a handy chart: http://www.hancockcomputertech.com/blog/2010/01/06/find-themicrosoft-outlook-temporary-olk-folder Skype History Description • Skype history keeps a log of chat sessions and files transferred from one machine to another • This is turned on by default in Skype installations Location Metadata – Time of Data Modification Metadata – Time of File Rename Metadata – Time of File Copy Metadata – Time of Local File Move Metadata – Inherited from Original Metadata – Inherited from Original Metadata – No Change Creation – Time of File Creation Creation – No Change Creation – No Change Creation – No Change Creation – Time of File Copy Creation – No Change Creation – Time of File Move via CLI Creation – Inherited from Original Creation – No Change File Creation File Access File Modification File Rename File Copy Local File Move Volume File Move Volume File Move File Deletion Modified – Time of File Creation Modified – No Change Modified – No Change Modified – No Change Modified – Time of File Copy Modified – No Change Modified – Time of Move via CLI Modified – Time of Cut/Paste Modified – No Change Access – Time of File Creation Access – No Change Access – No Change Access – No Change Access – Time of File Copy Access – No Change Access – Time of Move via CLI Access – Time of Cut/Paste Access – No Change Metadata – Time of File Creation Metadata – No Change Metadata – No Change Metadata – No Change Metadata – Time of File Copy Metadata – No Change Metadata – Time of Move via CLI Metadata – Time of Cut/Paste Metadata – No Change Creation – Time of File Creation Creation – No Change Creation – No Change Creation – No Change Creation – Time of File Copy Creation – No Change Creation – Time of Move via CLI Creation – Time of Cut/Paste Creation – No Change Shimcache (move via CLI) RecentApps Description GUI Program execution launched on the Win10 system is tracked in the RecentApps key Amcache.hve Description • Windows Application Compatibility Database is used by Windows to identify possible application compatibility challenges with executables. • Tracks the executables file name, file size, last modified time, and in Windows XP the last update time Location (cut/paste via Explorer) Description ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file Amcache.hve to store data during process creation Location Win7/8/10: Win7/8/10: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache Interpretation Any executable run on the Windows system could be found in this key. You can use this key to identify systems that specific malware was executed on. In addition, based on the interpretation of the time-based data you might be able to determine the last time of execution or activity on the system. • Windows XP contains at most 96 entries - LastUpdateTime is updated when the files are executed • Windows 7 contains at most 1,024 entries - LastUpdateTime does not exist on Win7 systems Jump Lists Description • Amcache.hve – Keys = Amcache.hve\Root\File\{Volume GUID}\####### • Entry for every executable run, full path information, File’s $StandardInfo Last Modification Time, and Disk volume the executable was run from • First Run Time = Last Modification Time of Key • SHA1 hash of executable also contained in the key System Resource Usage Monitor (SRUM) Description Records 30 to 60 days of historical system performance. Applications run, user account responsible for each, and application and bytes sent/received per application per hour. Location • The Windows 7 task bar (Jump List) is engineered to allow users to “jump” or access items they have frequently or recently used quickly and easily. This functionality cannot only include recent media files; it must also include recent tasks. • The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the associated application. SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions {d10ca2fe-6fcf4f6d-848e-b2e99266fa89} = Application Resource Usage Provider C:\Windows\ System32\SRU\ Interpretation Use tool such as srum_dump.exe to cross correlate the data between the registry keys and the SRUM ESE Database. Win7/8/10: Location C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\ AutomaticDestinations NTUSER.DAT\Software\Microsoft\Windows\Current Version\Search\RecentApps Interpretation Location Interpretation Each GUID key points to a recent application. AppID = Name of Application LastAccessTime = Last execution time in UTC LaunchCount = Number of times executed XP: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ LastVisitedMRU Win7/8/10: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ LastVisitedPidlMRU Interpretation Tracks the application executables used to open files in OpenSaveMRU and the last file path used. Prefetch Description • Increases performance of a system by pre-loading code pages of commonly used applications. Cache Manager monitors all files and directories referenced for each application or process and maps them into a .pf file. Utilized to know an application was executed on a system. • Limited to 128 files on XP and Win7 • Limited to 1024 files on Win8 • (exename)-(hash).pf Location WinXP/7/8/10: Interpretation • Each .pf will include last time of execution, number of times run, and device and file handles used by the program • Date/Time file by that name and path was first executed - Creation Date of .pf file (-10 seconds) • Date/Time file by that name and path was last executed - Embedded last execution time of .pf file - Last modification date of .pf file (-10 seconds) - Win8-10 will contain last 8 times of execution Windows Background Activity Moderator (BAM) • First time of execution of application. - Creation Time = First time item added to the AppID file. • Last time of execution of application w/file open. - Modification Time = Last time item added to the AppID file. • List of Jump List IDs -> http://www.forensicswiki.org/wiki/List_of_Jump_List_IDs Tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key. In addition, each value also tracks the directory location for the last file that was accessed by that application. Example: Notepad.exe was last run using the C:\%USERPROFILE%\ Desktop folder C:\Windows\Prefetch BAM/DAM Location Description Location Interpretation SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility Description Win10: Last-Visited MRU C:\Windows\AppCompat\Programs\Amcache.hve XP: Location Outlook XP: Metadata – No Change Program Execution Open/Save MRU Location Metadata – Time of File Creation The “Evidence of...” categories were originally created by SANS Digital Forensics and Incidence Response faculty for the SANS course FOR500: Windows Forensic Analysis. The categories map a specific artifact to the analysis questions that it will help to answer. Use this poster as a cheat-sheet to help you remember where you can discover key Windows artifacts for computer intrusion, intellectual property theft, and other common cyber crime investigations. File Download In the simplest terms, this key tracks files that have been opened or saved within a Windows shell dialog box. This happens to be a big data set, not only including web browsers like Internet Explorer and Firefox, but also a majority of commonly used applications. (cut/paste via Explorer) $ F I L E N A M E P O S T E R Description (No Change only on NTFS Win7+) (move via CLI) Win10: SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID} SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID} Investigative Notes Provides full path of the executable file that was run on the system and last execution date/time XP: C:\Documents and Settings\<username>\Application\Skype\<skype-name> Win7/8/10: C:\%USERPROFILE%\AppData\Roaming\Skype\<skype-name> Deleted File or File Knowledge Interpretation Each entry will have a date/time value and a Skype username associated with the action. XP Search – ACMRU Browser Artifacts Description Not directly related to “File Download”. Details stored for each local user account. Records number of times visited (frequency). Location Internet Explorer • IE8-9: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\index.dat • IE10-11: %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat Firefox • v3-25: %userprofile%\AppData\Roaming\Mozilla\ Firefox\Profiles\<random text>.default\downloads.sqlite • v 26+: %userprofile%\AppData\Roaming\Mozilla\ Firefox\Profiles\<random text>.default\places.sqlite Table:moz_annos Chrome: • Win7/8/10: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History Interpretation Many sites in history will list the files that were opened from remote sites and downloaded to the local system. History will record the access to the file on the website that was accessed via a link. Downloads Description Firefox and IE has a built-in download manager application which keeps a history of every file downloaded by the user. This browser artifact can provide excellent information about what sites a user has been visiting and what kinds of files they have been downloading from them. Location Firefox: • XP: %userprofile%\Application Data\Mozilla\ Firefox\Profiles\<random text>.default\downloads.sqlite • Win7/8/10: %userprofile%\AppData\Roaming\Mozilla\ Firefox\Profiles\<random text>.default\downloads.sqlite Internet Explorer: • IE8-9: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\ IEDownloadHistory\ • IE10-11: %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\ WebCacheV*.dat Description You can search for a wide range of information through the search assistant on a Windows XP machine. The search assistant will remember a user’s search terms for filenames, computers, or words that are inside a file. This is an example of where you can find the “Search History” on the Windows system. Location Search – WordWheelQuery Description NTUSER.DAT HIVE NTUSER.DAT\Software\Microsoft\Search Assistant\ACMru\#### Interpretation • Search the Internet – ####=5001 •A ll or part of a document name – ####=5603 • A word or phrase in a file – ####=5604 • Printers, Computers and People – ####=5647 Thumbcache Location C:\%USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer Interpretation • T hese are created when a user switches a folder to thumbnail mode or views pictures via a slide show. As it were, our thumbs are now stored in separate database files. Win7+ has 4 sizes for thumbnails and the files in the cache folder reflect this: - 32 -> small - 96 -> medium - 256 -> large - 1024 -> extra large • T he thumbcache will store the thumbnail copy of the picture based on the thumbnail size in the content of the equivalent database file. Location Win7/8/10 NTUSER.DAT Hive Automatically created anywhere with homegroup enabled Interpretation Keywords are added in Unicode and listed in temporal order in an MRUlist Automatically created anywhere and accessed via a UNC Path (local or remote) Win7/8/10 Recycle Bin Interpretation Include: • Thumbnail Picture of Original Picture • Document Thumbnail – Even if Deleted • Last Modification Time (XP Only) • Original Filename (XP Only) Description The recycle bin is a very important location on a Windows file system to understand. It can help you when accomplishing a forensic investigation, as every file that is deleted from a Windows recycle bin aware program is generally first put in the recycle bin. IE|Edge file:// Location Hidden System Folder Description Win7/8/10 A little-known fact about the IE History is that the information stored in the history files is not just related to Internet browsing. The history also records local and remote (via network shares) file access, giving us an excellent means for determining which files and applications were accessed on the system, day by day. • C:\$Recycle.bin • Deleted Time and Original Filename contained in separate files for each deleted recovery file • SID can be mapped to user via Registry Analysis • Win7/8/10 - Files Preceded by $I###### files contain • Original PATH and name • Deletion Date/Time - Files Preceded by $R###### files contain • Recovery Data Location Internet Explorer: IE6-7 %USERPROFILE%\LocalSettings\History\History.IE5 IE8-9 %USERPROFILE%\AppData\Local\Microsoft\WindowsHistory\History.IE5 IE10-11 XP NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ LastVisitedMRU Win7/8/10 NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ LastVisitedPidlMRU Interpretation Tracks the application executables used to open files in OpenSaveMRU and the last file path used. XP Recycle Bin Description The recycle bin is a very important location on a Windows file system to understand. It can help you when accomplishing a forensic investigation, as every file that is deleted from a Windows recycle bin aware program is generally first put in the recycle bin. Location Hidden System Folder Interpretation Windows XP • C:\RECYCLER” 2000/NT/XP/2003 • Subfolder is created with user’s SID • Hidden file in directory called “INFO2” • INFO2 Contains Deleted Time and Original Filename • Filename in both ASCII and UNICODE Interpretation • SID can be mapped to user via Registry Analysis •M aps file name to the actual name and path it was deleted from %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat Interpretation • Stored in index.dat as: file:///C:/directory/filename.ext • Does not mean file was opened in browser OP ER AT ING SYST EM & D EVICE IN- D EP T H Downloads will include: • Filename, Size, and Type • Download from and Referring Page • File Save Location • Application Used to Open File • Download Start and End Times FOR526 FOR498 Advanced Memory Forensics & Threat Detection Battlefield Forensics & Data Acquisition ADS Zone.Identifer Description FOR585 FOR500 @sansforensics sansforensics Smartphone Forensic Analysis In-Depth Windows Forensics GCFE Interpretation Files with an ADS Zone.Identifier and contains ZoneID=3 were downloaded from the Internet • URLZONE_TRUSTED = ZoneID = 2 • URLZONE_INTERNET = ZoneID = 3 • URLZONE_UNTRUSTED = ZoneID = 4 NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery Location Description Thumbnails of pictures, office documents, and folders exist in a database called the thumbcache. Each user will have their own database based on the thumbnail sizes viewed by the user (small, medium, large, and extra-larger) Location Tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key. In addition, each value also tracks the directory location for the last file that was accessed by that application. Keywords searched for from the START menu bar on a Windows 7 machine. Win7/8/10 Last-Visited MRU Description Description Hidden file in directory where images on machine exist stored in a smaller thumbnail graphics. thumbs.db catalogs pictures in a folder and stores a copy of the thumbnail even if the pictures were deleted. WinXP/Win8|8.1 Interpretation Starting with XP SP2 when files are downloaded from the “Internet Zone” via a browser to a NTFS volume, an alternate data stream is added to the file. The alternate data stream is named “Zone.Identifier.” Thumbs.db INCID ENT RESPO NSE & THREAT HUNTING FOR508 FOR572 FOR578 FOR610 GCTI GREM Advanced Incident Response, Threat Hunting, and Digital Forensics GCFA Cyber Threat Intelligence GASF FOR518 dfir.to/MAIL-LIST dfir.to/DFIRCast Mac and iOS Forensic Analysis and Incident Response SEC504 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response GNFA REM: Malware Analysis Hacker Tools, Techniques, Exploits, and Incident Handling GCIH Network Activity/Physical Location Timezone Network History Description Browser Search Terms Description Identifies the current system time zone. • Identify networks that the computer has been connected to • Networks could be wireless or wired • Identify domain name/intranet name • Identify SSID • Identify Gateway MAC Address Location SYSTEM Hive: SYSTEM\CurrentControlSet\Control\TimeZoneInformation Interpretation • Time activity is incredibly useful for correlation of activity • Internal log files and date/timestamps will be based on the system time zone information •Y ou might have other network devices and you will need to correlate information to the time zone information collected here. Location Win7/8/10 SOFTWARE HIVE: • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache Interpretation Cookies • Identifying intranets and networks that a computer has connected to is incredibly important • Not only can you determine the intranet name, you can determine the last time the network was connected to it based on the last write time of the key • This will also list any networks that have been connected to via a VPN •M AC Address of SSID for Gateway could be physically triangulated Description Cookies give insight into what websites have been visited and what activities may have taken place there. Location Internet Explorer • IE6-8: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies • IE10: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies • IE11: %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookies Firefox • XP: %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\<random text>.default\ cookies.sqlite •W in7/8/10: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\ cookies.sqlite Chrome • XP: %USERPROFILE%\Local Settings\ApplicationData\Google\Chrome\User Data\Default\ Local Storage •W in7/8/10: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Local Storage Description Records websites visited by date and time. Details stored for each local user account. Records number of times visited (frequency). Also tracks access of local system files. This will also include the website history of search terms in search engines. Location Internet Explorer • IE6-7: %USERPROFILE%\Local Settings\History\History.IE5 • IE8-9: %USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5 • IE10-11: %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat Firefox • XP: %userprofile%\Application Data\Mozilla\Firefox\Profiles\ <randomtext>.default\places.sqlite • Win7/8/10: %userprofile%\AppData\Roaming\Mozilla\Firefox\ Profiles\<randomtext>.default\places.sqlite System Resource Usage Monitor (SRUM) WLAN Event Log Description Determine what wireless networks the system associated with and identify network characteristics to find location Relevant Event IDs • 11000 – Wireless network association started • 8001 – Successful connection to wireless network • 8002 – Failed connection to wireless network • 8003 – Disconnect from wireless network • 6100 – Network diagnostics (System log) Location Microsoft-Windows-WLAN-AutoConfig Operational.evtx Interpretation • Shows historical record of wireless network connections • Contains SSID and BSSID (MAC address), which can be used to geolocate wireless access point *(no BSSID on Win8+) Description Records 30 to 60 days of historical system performance. Applications run, user account responsible for each, and application and bytes sent/received per application per hour. Location SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions {973F5D5C-1D90-4944-BE8E-24B94231A174} = Windows Network Data Usage Monitor {DD6636C4-8929-4683-974E-22C046A43763} = Windows Network Connectivity Usage Monitor SOFTWARE\Microsoft\WlanSvc\Interfaces\ C:\Windows\System32\SRU\ Interpretation Use tool such as srum_dump.exe to cross correlate the data between the registry keys and the SRUM ESE Database. File/Folder Opening Open/Save MRU Account Usage Shell Bags Description In the simplest terms, this key tracks files that have been opened or saved within a Windows shell dialog box. This happens to be a big data set, not only including web browsers like Internet Explorer and Firefox, but also a majority of commonly used applications. Description • Which folders were accessed on the local machine, the network, and/or removable devices. Evidence of previously existing folders after deletion/overwrite. When certain folders were accessed. Location Location XP: Explorer Access: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ OpenSaveMRU Last-Visited MRU • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Win7/8/10: Desktop Access: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ OpenSavePIDlMRU • NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU • NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags Interpretation • The “*” key – This subkey tracks the most recent files of any extension input in an OpenSave dialog • .??? (Three letter extension) – This subkey stores file info from the OpenSave dialog by specific extension Recent Files Description Tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key. In addition, each value also tracks the directory location for the last file that was accessed by that application. Example: Notepad.exe was last run using the C:\Users\Rob\Desktop folder Location XP: Win7/8/10: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ LastVisitedPidlMRU Interpretation Stores information about which folders were most recently browsed by the user. Shortcut (LNK) Files Registry Key that will track the last files and folders opened and is used to populate data in “Recent” menus of the Start menu. Location • Shortcut Files automatically created by Windows - Recent Items -O pening local and remote data files and documents will generate a shortcut file (.lnk) Location NTUSER.DAT: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs XP: Interpretation Win7/8/10: • C:\%USERPROFILE%\Recent • RecentDocs – Overall key will track the overall order of the last 150 files or folders opened. MRU list will keep track of the temporal order in which each file/folder was opened. The last entry and modification time of this key will be the time and location the last file of a specific extension was opened. • .??? – This subkey stores the last files with a specific extension that were opened. MRU list will keep track of the temporal order in which each file was opened. The last entry and modification time of this key will be the time when and location where the last file of a specific extension was opened. • Folder – This subkey stores the last folders that were opened. MRU list will keep track of the temporal order in which each folder was opened. The last entry and modification time of this key will be the time and location of the last folder opened. Interpretation Tracks the application executables used to open files in OpenSaveMRU and the last file path used. Jump Lists Interpretation • Date/Time file of that name was first opened - Creation Date of Shortcut (LNK) File • Date/Time file of that name was last opened - Last Modification Date of Shortcut (LNK) File • LNKTarget File (Internal LNK File Information) Data: - Modified, Access, and Creation times of the target file - Volume Information (Name, Type, Serial Number) - Network Share information - Original Location - Name of System Description • The Windows 7 task bar (Jump List) is engineered to allow users to “jump” or access items have frequently or recently used quickly and easily. This functionality cannot only include recent media files; it must also include recent tasks. • The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the association application and embedded with LNK files in each stream. Prefetch C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations • Increases performance of a system by pre-loading code pages of commonly used applications. Cache Manager monitors all files and directories referenced for each application or process and maps them into a .pf file. Utilized to know an application was executed on a system. • Limited to 128 files on XP and Win7 • Limited to 1024 files on Win8-10 • (exename)-(hash).pf Interpretation Location Location Win7/8/10: • Using the Structured Storage Viewer, open up one of the AutomaticDestination jumplist files. • Each one of these files is a separate LNK file. They are also stored numerically in order from the earliest one (usually 1) to the most recent (largest integer value). WinXP/7/8/10: Interpretation Logon Events can give us very specific information regarding the nature of account authorizations on a system if we know where to look and how to decipher the data that we find. In addition to telling us the date, time, username, hostname, and success/failure status of a logon, Logon Events also enables us to determine by exactly what means a logon was attempted. • Only the last login time will be stored in the registry key Location Location • C:\windows\system32\config\SAM Key Identification Description A little known fact about the IE History is that the information stored in the history files is not just related to Internet browsing. The history also records local, removable, and remote (via network shares) file access, giving us an excellent means for determining which files and applications were accessed on the system, day by day. Internet Explorer: • IE6-7: %USERPROFILE%\Local Settings\History\ History.IE5 • IE8-9: %USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5 • IE10-11: %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat Interpretation • Stored in index.dat as: file:///C:/directory/filename.ext • Does not mean file was opened in browser Description Lists the last time the password of a specific local user has been changed. Location • C:\windows\system32\config\SAM MS Office programs will track their own Recent Files list to make it easier for users to remember the last file they were editing. NTUSER.DAT\Software\Microsoft\Office\VERSION • 14.0 = Office 2010 • 11.0 = Office 2003 • 12.0 = Office 2007 • 10.0 = Office XP NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU • 15.0 = Office 365 Interpretation Similar to the Recent Files, this will track the last files that were opened by each MS Office application. The last entry added, per the MRU, will be the time the last file was opened by a specific MS Office application. • Can examine each .pf file to look for file handles recently used •C an examine each .pf file to look for device handles recently used Track USB devices plugged into a machine. Location • S YSTEM\CurrentControlSet\Enum\USBSTOR • S YSTEM\CurrentControlSet\Enum\USB Interpretation • Identify vendor, product, and version of a USB device plugged into a machine • Identify a unique USB device plugged into the machine •D etermine the time a device was plugged into the machine •D evices that do not have a unique serial number will have an “&” in the second character of the serial number. Description First/Last Times Determine temporal usage of specific USB devices connected to a Windows Machine. Location First Time Plug and Play Log Files C:\Windows\setupapi.log Win7/8/10: Interpretation • Search for Device Serial Number • Log File times are set to local time zone Location First, Last, and Removal Times (Win7/8/10 Only) System Hive: \CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\ {83da6326-97a6-4088-9453-a19231573b29}\#### 0064 = First Install (Win7-10) 0066 = Last Connected (Win8-10) 0067 = Last Removal (Win8-10) User Find User that used the Unique USB Device. Location • L ook for GUID from SYSTEM\MountedDevices • N TUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ MountPoints2 Interpretation Location System Log File Win7/8/10: %system root%\System32\winevt\logs\System.evtx Interpretation •E vent ID: 20001 – Plug and Play driver install attempted •E vent ID 20001 • Timestamp •D evice information •D evice serial number • Status (0 = no errors) Description C:\Windows\inf\setupapi.dev.log Description When a Plug and Play driver install is attempted, the service will log an ID 20001 event and provide a Status within the event. It is important to note that this event will trigger for any Plug and Play-capable device, including but not limited to USB, Firewire, and PCMCIA devices. Volume Serial Number XP: This GUID will be used next to identify the user that plugged in the device. The last write time of this key also corresponds to the last time the device was plugged into the machine by that user. The number will be referenced in the user’s personal mountpoints key in the NTUSER.DAT Hive. Drive Letter and Volume Name Location Security Log %SYSTEM ROOT%\System32\winevt\logs\Security.evtx Interpretation • Win7/8/10 – Interpretation - Event ID 4778 – Session Connected/Reconnected - Event ID 4779 – Session Disconnected • Event log provides hostname and IP address of remote machine making the connection • On workstations you will often see current console session disconnected (4779) followed by RDP connection (4778) • Analyze logs for suspicious services running at boot time • Review services started or stopped around the time of a suspected compromise Location Discover the Volume Serial Number of the Filesystem Partition on the USB. (NOTE: This is not the USB Unique Serial Number, which is hardcoded into the device firmware.) Location • S OFTWARE\Microsoft\Windows Portable Devices\Devices • S YSTEM\MountedDevices - Examine Drive Letters looking at Value Data Looking for Serial Number Interpretation Identify the USB device that was last mapped to a specific drive letter. This technique will only work for the last drive mapped. It does not contain historical records of every drive letter mapped to a removable drive. Shortcut (LNK) Files Description Shortcut files automatically created by Windows • Recent Items •O pen local and remote data files and documents will generate a shortcut file (.lnk) Location • S OFTWARE\Microsoft\WindowsNT\CurrentVersion\ ENDMgmt •U se Volume Name and USB Unique Serial Number to: - F ind last integer number in line -C onvert Decimal Serial Number into Hex Serial Number XP: Interpretation •D ate/Time file of that name was first opened - Creation Date of Shortcut (LNK) File • Date/Time file of that name was last opened - Last Modification Date of Shortcut (LNK) File • L NKTarget File (Internal LNK File Information) Data: -M odified, Access, and Creation times of the target file -V olume Information (Name, Type, Serial Number) - Network Share information - Original Location - Name of System •K nowing both the Volume Serial Number and the Volume Name, you can correlate the data across SHORTCUT File (LNK) analysis and the RECENTDOCs key. • T he Shortcut File (LNK) contains the Volume Serial Number and Name •R ecentDocs Registry Key, in most cases, will contain the volume name when the USB device is opened via Explorer • %USERPROFILE%\Recent Win7/8/10 • %USERPROFILE%\AppData\Roaming\Microsoft\Windows\ Recent • %USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent Interpretation Authentication Events Authentication mechanisms Location Recorded on system that authenticated credentials Local Account/Workgroup = on workstation Domain/Active Directory = on domain controller Win7/8/10: %SYSTEM ROOT%\System32\winevt\logs\Security.evtx Interpretation Event ID Codes (NTLM protocol) • 4776: Successful/Failed account authentication Event ID Codes (Kerberos protocol) • 4768: Ticket Granting Ticket was granted (successful logon) • 4769: Service Ticket requested (access to server resource) • 4771: Pre-authentication failed (failed logon) Success/Fail Logons All Event IDs reference the System Log 7034 – Service crashed unexpectedly 7035 – Service sent a Start/Stop control 7036 – Service started or stopped 7040 – Start type changed (Boot | On Request | Disabled) 7045 – A service was installed on the system (Win2008R2+) 4697 – A service was installed on the system (from Security log) Description Interpretation • Win7/8/10 – Interpretation • 4624 – Successful Logon • 4625 – Failed Logon • 4634 | 4647 – Successful Logoff • 4648 – Logon using explicit credentials (Runas) • 4672 – Account logon with superuser rights (Administrator) • 4720 – An account was created • All Event IDs except 4697 reference the System Log • A large amount of malware and worms in the wild utilize Services • Services started on boot illustrate persistence (desirable in malware) • Services can crash due to attacks like process injection Determine which accounts have been used for attempted logons. Track account usage for known compromised accounts. Location Win7/8/10: %system root%\System32\winevt\logs\Security.evtx Interpretation Browser Usage History Description Location Win7/8/10: Logon via console Network Logon Batch Logon Windows Service Logon Credentials used to unlock screen Network logon sending credentials (cleartext) Different credentials used than logged on user Remote interactive logon (RDP) Cached credentials used to logon Cached remote interactive (similar to Type 10) Cached unlock (similar to Type 7) Description Win7/8/10: Location • Find ParentIdPrefix – SYSTEM\CurrentControlSet\Enum\ USBSTOR • Using ParentIdPrefix Discover Last Mount Point – SYSTEM\MountedDevices Explanation 2 3 4 5 7 8 9 10 11 12 13 Track Remote Desktop Protocol logons to target machines. Description XP: Logon Type Description Records websites visited by date and time. Details stored for each local user account. Records number of times visited (frequency). Also tracks access of local system files. Discover the last drive letter of the USB Device when it was plugged into the machine. Interpretation RDP Usage Description Description Interpretation PnP Events Win7/8/10: Event ID 4624 • SAM\Domains\Account\Users Services Events Office Recent Files C:\Windows\Prefetch Description • SAM\Domains\Account\Users Last Password Change External Device/USB Usage Description Description • Only the last password change time will be stored in the registry key Location Description Lists the local accounts of the system and their equivalent security identifiers. Logon Types Interpretation IE|Edge file:// Location • C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\ • C:\%USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent\ Note these are primary locations of LNK files. They can also be found in other locations. Description NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ LastVisitedMRU Description Description Last Login Internet Explorer • IE6-7: %USERPROFILE%\Local Settings\History\History.IE5 • IE8-9: %USERPROFILE%\AppData\Local\Microsoft\Windows\History\ History.IE5 • IE10, 11, Edge: %USERPROFILE%\AppData\Local\Microsoft\Windows\ WebCache\WebCacheV*.dat Firefox • X P: %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\<random text>.default\places.sqlite • W in7/8/10: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\ Profiles\<random text>.default\places.sqlite Chrome • XP: %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\History • W in7/8/10: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\ Default\History Cookies Description Cookies give insight into what websites have been visited and what activities may have taken place there. Location Internet Explorer • IE8-9: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies • IE10: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies • IE11: %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookies • Edge: %USERPROFILE%\AppData\Local\Packages\microsoft. microsoftedge_<APPID>\AC\MicrosoftEdge\Cookies Firefox • XP: %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\<random text>.default\cookies.sqlite • W in7/8/10: % USERPROFILE%\AppData\Roaming\Mozilla\Firefox\ Profiles\<randomtext>.default\cookies.sqlite Chrome • X P: %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\ • W in7/8/10: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\ Default\Local Storage\ Cache Description • The cache is where web page components can be stored locally to speed up subsequent visits • Gives the investigator a “snapshot in time” of what a user was looking at online - Identifies websites which were visited - Provides the actual files the user viewed on a given website - Cached files are tied to a specific local user account - T imestamps show when the site was first saved and last viewed Location Internet Explorer • IE8-9: %USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 • IE10: %USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 • IE11: %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IE • Edge: %USERPROFILE%\AppData\Local\Packages\microsoft. microsoftedge_<APPID>\AC\MicrosoftEdge\Cache Firefox • XP: %USERPROFILE%\Local Settings\ApplicationData\Mozilla\Firefox\ Profiles\<randomtext>.default\Cache • W in7/8/10: %USERPROFILE%\AppData\Local\Mozilla\Firefox\ Profiles\<randomtext>.default\Cache Chrome • XP: %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache - data_# and f_###### • W in7/8/10: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\ Default\Cache\ - data_# and f_###### Flash & Super Cookies Description Local Stored Objects (LSOs), or Flash Cookies, have become ubiquitous on most systems due to the extremely high penetration of Flash applications across the Internet. They tend to be much more persistent because they do not expire, and there is no built-in mechanism within the browser to remove them. In fact, many sites have begun using LSOs for their tracking mechanisms because they rarely get cleared like traditional cookies. Location Win7/8/10: %APPDATA%\Roaming\Macromedia\FlashPlayer\#SharedObjects\<randompr ofileid> Interpretation • Websites visited • User account used to visit the site • When cookie was created and last accessed Session Restore Description Automatic Crash Recovery features built into the browser. Location Internet Explorer Win7/8/10: %USERPROFILE%/AppData/Local/Microsoft/Internet Explorer/ Recovery Firefox Win7/8/10: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\ Profiles\<randomtext>.default\sessionstore.js Chrome Win7/8/10: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\ Default\ Files = Current Session, Current Tabs, Last Session, Last Tabs Interpretation • Historical websites viewed in each tab • Referring websites • Time session ended • Modified time of .dat files in LastActive folder • Time each tab opened (only when crash occurred) • Creation time of .dat files in Active folder Google Analytics Cookies Description Google Analytics (GA) has developed an extremely sophisticated methodology for tracking site visits, user activity, and paid search. Since GA is largely free, it has a commanding share of the market, estimated at over 80% of sites using traffic analysis and over 50% of all sites. __utma – Unique visitors • Domain Hash • Visitor ID • Cookie Creation Time • Time of 2nd most recent visit • Time of most recent visit • Number of visits __utmb – Session tracking • Domain hash • Page views in current session • Outbound link clicks • Time current session started __utmz – Traffic sources • Domain Hash • Last Update time • Number of visits • Number of different types of visits • Source used to access site • Google Adwords campaign name • Access Method (organic, referral, cpc, email, direct) • Keyword used to find site (non-SSL only) INCS712 Lecture3 COMPUTER FORENSICS Forensic Analysis 2 Preparing a Digital Forensics Investigation ◉ The role of digital forensics professional is to o Gather evidence to prove that a suspect committed a o o o o crime or violated a company policy Collect evidence that can be offered in court or at a corporate inquiry Preserve the evidence on a different computer Investigate the suspect’s computer Present the findings ◉ Chain of custody o Route the evidence takes from the time you find it until the case is closed or goes to court Important Factors ◉ Legal procedures o Not compromising evidence ◉ ◉ ◉ ◉ ◉ Treat every piece of evidence as it will be used in court Documentation Chain of Custody Write Blocker Imaging o Bit by bit copy of a piece of electronic media (Hard drive) What Should be Avoided During an Investigation? ◉ Changing data o Changing time or date stamps o Changing files ◉ Overwriting unallocated disk space o This can happen when re-booting Common Computer Forensic Software ◉ OpenText(Guidance Software) - EnCase Forensic ◉ Accessdata - FTK ◉ X-Ways ◉ Cellebrite - UFED ◉ MSAB - XRY ◉ Blackbag - MacQuisition ◉ Magnet - Axiom ◉ Oxygen Forensics ◉ Griffeye ◉ Nuix EnCase Forensic ◉ Acquisition ◉ Reporting ◉ EnScript : o Scripting facility o Various API's for interacting with evidence ◉ Collect, Analyze and examine data o Deleted files o Unallocated space o File slack ◉ Duplicates of original data (Imaging) o Accuracy can be verified by hash and Cyclic Redundancy Check values EnCase Forensic ◉ Many operating systems o o o o Windows Linux Apple iOS Sun/Oracle Solaris ◉ Supported smartphones ◉ Recommended to run on Window operating system EnCase Forensic File Signatures EnCase Gallery EnCase Document View Deleted Files Investigation Search 14 Perform a Search ◉ Raw Search o A search based on keywords that search the entire drive for a match o Slow process on larger drives ◉ Indexed Search o A search that requires the drive to be indexed o Indexing can take a long time o Searches are instantaneous Indexed Search Bookmark Specific Evidence ◉ Bookmark Findings o o o o o o o Raw Text Bookmarks Data Structure Bookmarks Notable File Bookmarks Multiple Notable File Bookmarks Note Bookmarks Table Bookmarks Transcript Bookmarks Bookmark Screen Tools and Approaches 19 Understanding Forensic Workstations and Software ◉ Investigations are conducted in a computer forensics lab ◉ Computer forensics workstation o A specially configured PC o Loaded with additional bays and forensics software ◉ To avoid altering the evidence use: o Write-blockers devices o Enable you to boot to Windows without writing data to the evidence drive Setting Up Your Workstation for Digital Forensics ◉ Basic requirements o o o o o o o A workstation running Windows 10 or newer OS A write-blocker device Digital forensics acquisition tool Digital forensics analysis tool Target drive to receive the source or suspect disk data Spare PATA and/or SATA ports USB ports Setting Up Your Workstation for Digital Forensics ◉ Additional useful items o o o o o o o o Network interface card (NIC) Extra USB ports FireWire 400/800 ports SCSI (Small Computer System Interface) card Disk editor tool Text editor tool Graphics viewer program Other specialized viewing tools Understanding Forensic Workstations and Software Understanding Forensic Workstations and Software Setting Up Your Workstation for Digital Forensics ◉ Disable Autorun / Autoplay ◉ Make USB devices read-only ◉ Disable automount ◉ Disable search indexing ◉ Patching and verification ◉ Carefully consider antivirus / antimalware program ◉ Show hidden file / extension ◉ Power Management Off ◉ Disable Windows Updates https://digital-forensics.sans.org/blog/2010/12/17/digital-forensics-configure-windows-investigative-workstations/ Gathering Resources ◉ Gather resources identified in investigation plan ◉ Items needed Original storage media Evidence custody form Evidence container for the storage media Imaging tool Forensic workstation to copy and examine your evidence o Securable evidence locker, cabinet, or safe o o o o o Collecting the Evidence ◉ Avoid damaging the evidence ◉ Steps o o o o o o Meet the IT manager to interview him or her Fill out the evidence form, have the IT manager sign it Place the evidence in a secure container Carry the evidence to the computer forensics lab Complete the evidence custody form Secure evidence by locking the container Completing the Case ◉ You need to produce a final report o State what you did and what you found ◉ Repeatable findings o Repeat the steps and produce the same result ◉ If required, use a report template ◉ Report should show conclusive evidence Completing the Case ◉ Keep a written journal of everything you do o Your notes can be used in court ◉ Answer the six Ws: o Who, what, when, where, why, and how ◉ You must also explain computer and network processes Critiquing the Case ◉ Ask yourself the following questions: o How could you improve your performance in the case? o Did you expect the results you found? Did the case develop in ways you did not expect? o Was the documentation as thorough as it could have been? o What feedback has been received from the requesting source? Critiquing the Case ◉ Ask yourself the following questions (cont’d): o Did you discover any new problems? If so, what are they? o Did you use new techniques during the case or during research? PRACTICE 32 Autopsy Forensic Analyzer 33 INCS712 Lecture4 COMPUTER FORENSICS Forensic Process/Phases 1. Identification 2. Collection 3. Preservation 4. Examination 5. Analysis 6. Presentation/Report 2 Identification ◉ The first step is identifying evidence and potential containers of evidence ◉ More difficult than it sounds o Small scale devices o Non-traditional storage media o Multiple possible crime scenes 3 Identification ◉ Context of the investigation is very important ◉ Do not overlook non-electronic sources of evidence o Manuals, papers, printouts, etc. 4 Collection ◉ Care must be taken to minimize contamination ◉ Collect or seize the system(s) ◉ Create forensic image o Live or Static(dead)? o Do you own the system o What does your policy say? 5 Collection: Documentation 6 Collection: Documentation ◉ Take detailed photos and notes of the computer / monitor o If the computer is “on”, take photos of what is displayed on the monitor – DO NOT ALTER THE SCENE 7 Collection: Documentation ◉ Make sure to take photos and notes of all connections to the computer/other devices 8 Collection: Imaging ◉ Rule of Thumb: make 2 copies and don’t work from the original (if possible) ◉ A file copy does not recover all data areas of the device for examination ◉ Working from a duplicate image o Preserves the original evidence o Prevents inadvertent alteration of original evidence during examination o Allows recreation of the duplicate image if necessary 9 Collection: Imaging ◉ Digital evidence can be duplicated with no degradation from copy to copy o This is not the case with most other forms of evidence 10 Collection: Imaging ◉ Write blockers o Hardware o Software(https://www.thewindowsclub.com/enable-or-disable-usbwrite-protection) ◉ Hardware write blockers are becoming the industry standard o USB, SATA, IDE, SCSI, SIM, Memory Cards o Not BIOS dependent o But still verify prior to usage! 11 Collection: Imaging Most commonly used : Tableau Forensic Write Blocker Destination Source Source data Image data Write Blocker Read Write Examiner PC (Imaging tool) 1001100011010… 0110100101010… 01010110011101… … D02101001A.E01 D02101002A.DD D02201001A.AFF … 12 Collection: Imaging ◉ Forensic Image (Bitstream, bit-by-bit) o Bit by Bit imaging captures all the data on the copied media including hidden and residual data (e.g., slack space, swap, residue, unused space, deleted files etc.) ◉ Duplicate copy when necessary ◉ Often the “smoking gun” is found in the residual data. ◉ Imaging from a disk (drive) to a file is the norm. Now transitioning to targeted collection ◉ Remember avoid working from original ◉ Use a write blocker even when examining a copy! 13 Imaging: Authenticity & Integrity ◉ How do we demonstrate that the image is a true unaltered copy of the original? -Hashing (MD5, SHA 256) ◉ Hashing - A mathematical algorithm that produces a unique value (128 Bit, 512 Bit) o Can be performed on various types of data (files, partitions, physical drive) ◉ The value can be used to demonstrate the integrity of your data o Changes made to data will result in a different value ◉ The same process can be used to demonstrate the image has not changed from time-1 to time-n 14 Examination ◉ Higher level look at the file system representation of the data on the media ◉ Verify integrity of image o MD5, SHA1 etc. ◉ Recover deleted files & folders ◉ Determine keyword list o What are you searching for ◉ Determine timelines o What is the time zone setting of the suspect system o What time frame is of importance o Graphical representation is very useful 15 Examination ◉ Examine directory tree ◉ ◉ ◉ ◉ o What looks out of place o Stego tools installed o Evidence Scrubbers Perform keyword searches o Indexed o Slack & unallocated space Search for relevant evidence types o Hash sets can be useful o Graphics o Spreadsheets o Hacking tools o Etc. Look for the obvious first When is enough enough?? 16 Issues ◉ lack of certification for tools ◉ lack of standards procedure ◉ lack of certification for professionals ◉ lack of understanding by Judiciary ◉ Rapid changes in technology! ◉ Immature Scientific Discipline 17 Digital Investigation Process 18 Preparing for Digital Investigations ◉ Digital investigations fall into two categories: o Public-sector investigations o Private-sector investigations 19 Preparing for Digital Investigations ◉ Public-sector investigations involve government agencies responsible for criminal investigations and prosecution ◉ Fourth Amendment to the U.S. Constitution o Restrict government search and seizure ◉ The Department of Justice (DOJ) updates information on computer search and seizure regularly ◉ Private-sector investigations focus more on policy violations 20 Understanding Law Enforcement Agency Investigations ◉ When conducting public-sector investigations, you must understand laws on computer-related crimes including: o Standard legal processes o Guidelines on search and seizure o How to build a criminal case ◉ The Computer Fraud and Abuse Act was passed in 1986 o Specific state laws were generally developed later 21 Following Legal Processes ◉ A criminal investigation usually begins when someone finds evidence of or witnesses a crime o Witness or victim makes an allegation to the police ◉ Police interview the complainant and writes a report about the crime ◉ Report is processed and management decides to start an investigation or log the information in a police blotter o Blotter is a historical database of previous crimes 22 Canada Criminal Court Procedure Complaint Accused Arrest Release Charge Convicted First Appearance Assignment (Preliminary) Trial Sentencing Offender Appeal 23 Following Legal Processes ◉ Digital Evidence First Responder (DEFR) o Arrives on an incident scene, assesses the situation, and takes precautions to acquire and preserve evidence ◉ Digital Evidence Specialist (DES) o Has the skill to analyze the data and determine when another specialist should be called in to assist ◉ Affidavit-a sworn statement of support of facts about or evidence of a crime o Must include exhibits that support the allegation 24 Understanding Private-Sector Investigations ◉ Private-sector investigations involve private companies and lawyers who address company policy violations and litigation disputes o Example: wrongful termination ◉ Businesses strive to minimize or eliminate litigation ◉ Private-sector crimes can involve: o E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage 25 Understanding Private-Sector Investigations ◉ Businesses are advised to specify an authorized requester who has the power to initiate investigations ◉ Examples of groups with authority o o o o o Corporate security investigations Corporate ethics office Corporate equal employment opportunity office Internal auditing The general counsel or legal department 26 Understanding Private-Sector Investigations ◉ During private investigations, you search for evidence to support allegations of violations of a company’s rules or an attack on its assets ◉ Three types of situations are common: o Abuse or misuse of computing assets o E-mail abuse o Internet abuse ◉ A private-sector investigator’s job is to minimize risk to the company 27 Understanding Private-Sector Investigations ◉ The distinction between personal and company computer property can be difficult with cell phones, smartphones, personal notebooks, and tablet computers ◉ Bring your own device (BYOD) environment o Some companies state that if you connect a personal device to the business network, it falls under the same rules as company property 28 Maintaining Professional Conduct ◉ Professional conduct includes ethics, morals, and standards of behavior ◉ An investigator must exhibit the highest level of professional behavior at all times o Maintain objectivity o Maintain credibility by maintaining confidentiality ◉ Investigators should also attend training to stay current with the latest technical changes in computer hardware and software, networking, and forensic tools 29 PRACTICE 30 Signature Analysis 1. 2. TRID for test-sample1 TRID for test-sample2 31 Data Carving 1. One of data recovery technique 32 Chain of Custody 1. 2. 3. 4. 5. 6. Collection starts at 7:30 PM, May 25 2021 FTK Imager 4.3.0.18 E01 format Timezone : UTC-8 Evidence Number: D02102003A Storage Number: D02101M01 1N2BF3 33 Chain of Custody Dell OptiPlex 9030 You take forensic image of HDD on Dell OptiPlex9030. 1. Evidence Number: D04202003A 2. Storage Number: D04201M01 3. Transit to NYIT Forensic Lab (in-charge, Tom) 34 Appearance Notice An appearance notice is generally given by police to an accused who has not been arrested on a minor criminal offence. It compels the accused to appear before a court on a specific date. If the accused does not appear, the court can issue a warrant for his/her arrest. Promise to Appear A promise to appear is sometimes given to an accused that has been arrested and released by the police. It is a personal guarantee to come to court on the date specified. If an arrested person is not released by the police, there must be a bail hearing before the court within 24 hours to determine whether the person will remain in custody pending his or her trial. A recognizance is one form of interim release and is completed by either promising to pay money or depositing money or other valuable security with the court. Then the defendant will be released pending a trial or appeal but has an order to appear. If the defendant does not appear, the money promised is due or the money or security deposited are subject to forfeiture, and an arrest warrant will be issued. When an accused is charged with a serious crime, or is considered a flight risk or is likely to re-offend, an order for secure custody will detain the accused in a correctional centre until trial. Police Report to Crown The police prepare a report detailing all the evidence they have collected and based on that report, Crown counsel decides whether criminal charges are appropriate. Information or Indictment An information or an indictment is used to charge the accused with the crime. An information is sworn and signed by a peace officer who knows the case and swears that there are reasonable grounds to believe an offence has been committed. An Indictment is the charging document used in Supreme Court and is signed by Crown counsel. In Canada there are three types of criminal offences: summary conviction, indictable and dual (hybrid) offences. An example of a summary conviction offence is trespassing by night. An example of an indictable offence is armed robbery. An example of a dual (hybrid) offence is assault. For hybrid offences, the Crown chooses whether to proceed summarily or by indictment and for the application of all further procedural rules, the offence is deemed to be the type of offence the Crown has chosen. Form of Trial When an accused is charged with an indictable offence, in most cases they have a right to choose between three forms of trial: to be tried by a Provincial Court judge, or by a Supreme Court judge alone or by a Supreme Court judge with a jury. This is called an election. In some serious cases like murder, the trial must be by judge and jury, unless both the Crown and the accused consent to a trial by a Supreme Court judge alone. First Appearance The first appearance is where an accused or his or her lawyer (counsel), makes their election (if required), enters a plea to the charge(s) and/or asks for time to retain counsel. The issue of whether or not an accused can be released on bail pending trial is often decided at the first appearance. It may take time for the accused and counsel to decide what to do about the charge so there may be a number of appearances. If the accused decides to plead guilty, sentencing may be done on a different date because a pre-sentence report may have to be prepared by a probation officer. If the accused pleads not guilty then a date for the trial or preliminary hearing is set depending on the type of offence. Preliminary Hearing or Inquiry If an accused is charged with an indictable offence and has elected a trial by other than the Provincial Court, a preliminary hearing is held where the Crown must present sufficient evidence to commit the accused for trial. This allows the court an opportunity to determine whether the charges against the accused are valid. The preliminary inquiry is held in Provincial Court. The accused does not have to present evidence at this time because the burden is on the Crown to establish they can convict on the evidence. The Trial The judge is the sole arbitrator of the law as it applies to each case and its facts but also provides a judgment in non-jury trials. The court clerk is in charge of all exhibits, physical evidence, court files and the recording of the proceedings during any type of court hearing. The sheriff manages courtroom security and escorts the accused to and from court if he or she is being held in jail during the trial. Not all persons accused of serious crimes are held in custody prior to trial. Prosecutors in Canada represent the people through the “Crown” — a term we use because our Head of State is the Queen. The state charges the accused and is referred to as Crown Counsel/Prosecutor. Defence counsel is the lawyer for the accused in a criminal trial. In a criminal matter, the onus is on the Crown to prove the case beyond a reasonable doubt. The judge or jurors must consider all the evidence to decide if it convinces them beyond a reasonable doubt of the guilt of the accused. When a criminal case is brought to court and if the accused might go to jail for a term of five years or more then the accused has the opportunity to choose to have either a trial by judge alone or a trial by a judge and jury. The jury will consist of 12 members. At the end of the trial, when both sides have stated their cases, a verdict will be reached. The verdict is the decision made about whether or not the accused person is guilty in a criminal trial. In a criminal trial with a jury this verdict must be unanimous. If the jury cannot reach a unanimous verdict it is called a "hung jury" and a new trial must be held. Appeal In the BC Court of Appeal there are usually only three judges sitting on an appeal unless the court is being asked to overturn one of its own decisions. In that case five judges would hear the appeal. INCS712 Lecture5 COMPUTER FORENSICS Forensic Acquisition 2 Understanding Image Formats for Digital Evidence ◉ Data in a forensics acquisition tool is stored as an image file ◉ Three formats o Raw format o Proprietary formats o Advanced Forensics Format (AFF) Raw Format ◉ Makes it possible to write bit-stream data to files ◉ Advantages o Fast data transfers o Ignores minor data read errors on source drive o Most computer forensics tools can read raw format ◉ Disadvantages o Requires as much storage as original disk or data o Tools might not collect marginal (bad) sectors ◉ dd, dmg, img, raw Proprietary Formats ◉ Most forensics tools have their own formats ◉ Features offered o Option to compress or not compress image files o Can split an image into smaller segmented files o Can integrate metadata into the image file ◉ Disadvantages o Inability to share an image between different tools ◉ E01, AD1, UFDR Advanced Forensics Format ◉ Developed by Dr. Simson L. Garfinkel as an open-source acquisition format ◉ Design goals o Provide compressed or uncompressed image files o No size restriction for disk-to-image files o Provide space in the image file or segmented files for metadata o Simple design with extensibility o Open source for multiple platforms and Oss ▪ Internal consistency checks for self-authentication ◉ AFF Understanding Bit-Stream Copies ◉ Bit-stream copy (Single Capture or Mirror) o o o o o Bit-by-bit copy of the original storage medium Exact copy of the original disk Different from a simple backup copy Backup software only copy known files Backup software cannot copy deleted files, e-mail messages or recover file fragments ◉ Bit-stream image o File containing the bit-stream copy of all data on a disk or partition o Also known as “image” or “image file” Understanding Bit-Stream Copies ◉ Copy image file to a target disk that matches the original disk’s manufacturer, size and model Creating an image transfers each bit of data from the original disk to the same spot on the target disk Original Disk Target Disk Acquiring an Image of Evidence Media ◉ First rule of computer forensics o Preserve the original evidence ◉ Conduct your analysis only on a copy of the data ◉ Several vendors provide MS-DOS, Linux, and Windows acquisition tools o Windows tools require a write-blocking device when acquiring data from FAT or NTFS file systems ◉ https://www.youtube.com/watch?v=I-yUf7FwiLQ Determining the Best Acquisition Method (1 of 4) ◉ Types of acquisitions o Static acquisitions and live acquisitions ◉ Four methods of data collection o Creating a disk-to-image file o Creating a disk-to-disk o Creating a logical disk-to-disk or disk-to-data file o Creating a sparse data copy of a file or folder ◉ Determining the best method depends on the circumstances of the investigation Determining the Best Acquisition Method (2 of 4) ◉ Creating a disk-to-image file o Most common method and offers most flexibility o Can make more than one copy o Copies are bit-for-bit replications of the original drive o Compatible with many commercial forensic tools ◉ Creating a disk-to-disk o When disk-to-image copy is not possible o Tools can adjust disk’s configuration o Tools: EnCase and X-Ways Determining the Best Acquisition Method (3 of 4) ◉ Logical acquisition or sparse acquisition o Can take several hours; use when your time is limited o Logical acquisition captures only specific files of interest to the case o Sparse acquisition collects fragments of unallocated (deleted) data o For large disks o PST or OST mail files, RAID servers Determining the Best Acquisition Method (4 of 4) ◉ When making a copy, consider: o Size of the source disk ▪ Lossless compression might be useful ▪ Use digital signatures for verification o When working with large drives, an alternative is using lossless compression o Whether you can retain the disk o Time to perform the acquisition o Where the evidence is located Contingency Planning for Image Acquisitions ◉ Make at least two images of digital evidence o Use different tools or techniques ◉ Create a duplicate copy of your evidence image file ◉ Copy host protected area of a disk drive as well o Consider using a hardware acquisition tool that can access the drive at the BIOS level ◉ Be prepared to deal with encrypted drives o Whole disk encryption feature in Windows called BitLocker makes static acquisitions more difficult o May require user to provide decryption key Acquiring Data with a Linux Bootable USB (1 of 4) ◉ Linux can access a drive that isn’t mounted ◉ Windows OSs and newer Linux automatically mount and access a drive ◉ Forensic Linux Bootable USB don’t access media automatically o Which eliminates the need for a write-blocker ◉ Using Linux Bootable USB Distributions o Forensic Linux Bootable USB ▪ Contain additionally utilities Acquiring Data with a Linux Bootable USB (2 of 4) ◉ Using Linux Bootable USB Distributions (cont’d) o Forensic Linux Bootable USB (cont’d) ▪ Configured not to mount, or to mount as read-only, any connected storage media ▪ Well-designed Linux Bootable USB for computer forensics ▪ Paladin ▪ CAINE ▪ Deft ▪ Knoppix ▪ SANS Investigative Forensic Toolkit (SIFT) Acquiring Data with a Linux Bootable USB (3 of 4) ◉ Preparing a target drive for acquisition in Linux ◉ Current Linux distributions can create Microsoft FAT and NTFS partition tables ◉ fdisk command lists, creates, deletes, and verifies partitions in Linux ◉ mkfs.msdos command formats a FAT file system from Linux Acquiring Data with a Linux Bootable USB (4 of 4) ◉ Acquiring data with dd in Linux ◉ dd(“data dump”) command o Can read and write from media device and data file o Creates raw format file that most computer forensics analysis tools can read ◉ Shortcomings of dd command o Requires more advanced skills than average user o Does not compress data Validating Data Acquisitions ◉ Validating evidence may be the most critical aspect of computer forensics ◉ Requires using a hashing algorithm utility ◉ Validation techniques o MD5, and SHA-1 to SHA-512 Linux Validation Methods ◉ Validating dd-acquired data o You can use md5sum or sha1sum utilities o Md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes Windows Validation Methods ◉ Windows has no built-in hashing algorithm tools for computer forensics o Third-party utilities can be used ◉ Commercial computer forensics programs also have builtin validation features o Each program has its own validation technique ◉ Raw format image files don’t contain metadata o Separate manual validation is recommended for all raw acquisitions RAID Data Acquisition 22 Performing RAID Data Acquisitions ◉ Acquisition of RAID drives can be challenging and frustrating because of how RAID systems are o Designed o Configured o Sized ◉ Size is the biggest concern o Many RAID systems now have exabytes of data Acquiring RAID Disks (1 of 2) ◉ Address the following concerns: o o o o o o How much data storage is needed? What type of RAID is used? Do you need to have all drives connected? Do you have the right acquisition tool? Can the tool read a forensically copied RAID image? Can the tool read split data saves of each RAID disk? ◉ Copying small RAID systems to one large disk is possible Acquiring RAID Disks (2 of 2) ◉ Vendors offering RAID acquisition functions o o o o o Guidance Software EnCase X-Ways Forensics AccessData FTK Runtime Software R-Tools Technologies ◉ Occasionally, a RAID system is too large for a static acquisition o Retrieve only the data relevant to the investigation with the sparse or logical acquisition method Using Remote Network Acquisition Tools ◉ You can remotely connect to a suspect computer via a network connection and copy data from it ◉ Remote acquisition tools vary in configurations and capabilities ◉ Drawbacks o Antivirus, antispyware, and firewall tools can be configured to ignore remote access programs o Suspects could easily install their own security tools that trigger an alarm to notify them of remote access intrusions Remote Acquisition with EnCase Enterprise ◉ Remote acquisition features o Search and collect internal and external network systems over a wide geographical area o Support multiple OSs and file systems o Triage to help determine system’s relevance to an investigation o Perform simultaneous searches of up to five systems at a time Remote Acquisition with F-Response ◉ F-Response o A vendor-neutral remote access utility o Designed to work with any digital forensics program o Sets up a security read-only connection ▪ Allows forensics examiners to access it ◉ Four different version of F-Response o Enterprise Edition, Consultant + Convert Edition, Consultant Edition, and TACTICAL Edition PRACTICE 29 Forensic Imaging Practice (Forensic Imaging by software) 1. Install FTK Imager (https://accessdata.com/product-download/) 2. Connect your source disk to your computer 3. Connect the destination disk that stores the image files 4. Open the imaging program 5. FTK Imager – File –Create Disk Image – Physical Drive – Select Source Drive – Finish – Add – Select Image Type – Raw(dd) – Evidence Item Information – Assign Destination folder– Image Filename – Image Fragment Size (2,000) – Finish – Start 7. Add Local Device – Next – Choose source drive – Finish – Click the drive – Acquire – Insert information – OK 30 Mounting Image Files Practice (Image mounting) 1. Open FTK Imager 2. Add Image – Select Image files 3. Find assigned drive letter from Windows Explorer 31 Targeted Collection Practice (Robocopy) 1. Download Rococopy command file 2. Refer to the Syntax of Robocopy at https://technet.microsoft.com/en-us/library/cc733145(v=ws.11).aspx 3. Make a new folder and copy some files from other folders to the new folder 4. Using Robocopy, copy the new folder to your usb drive keeping same directory structure and metadata 5. Delete some files from your usb drive and copy back only the deleted files from original source Reference C:\Users\Joseph\Documents>robocopy “c:\Users\Joseph\Documents\new\” “e:\collection\” /MIR /TEE /E /LOG:”e:\log.txt” C:\Users\Joseph\Documents>robocopy “c:\Users\Joseph\Documents\new\” “e:\collection\” /E /XC /XN /XO /LOG:”e:\log.txt” 32 INCS712 Lecture6 COMPUTER FORENSICS E-mail and Social Media Investigations 2 Investigating E-mail Crimes and Violations (1 of 2) ◉ Similar to other types of investigations ◉ Goals o Find who is behind the crime o Collect the evidence o Present your findings o Build a case ◉ Know the applicable privacy laws for your jurisdiction ◉ E-mail crimes depend on the city, state, or country o Example: spam may not be a crime in some states o Always consult with an attorney Investigating E-mail Crimes and Violations (2 of 2) ◉ Examples of crimes involving e-mails o Narcotics trafficking o Extortion o Sexual harassment and stalking o Fraud o Child abductions and pornography o Terrorism Exploring the Role of E-mail in Investigations (1 of 2) ◉ An increase in e-mail scams and fraud attempts with phishing or spoofing o Phishing e-mails contain links to text on a Web page ▪ Attempts to get personal information from reader o Email Spoofing contains altered parts by someone else ▪ To get you to trust them ▪ Will take additional steps like following a link ◉ Investigators need to know how to examine and interpret the unique content of e-mail messages Exploring the Role of E-mail in Investigations (2 of 2) ◉ Spoofing e-mail can be used to commit fraud ◉ Investigators can use the Enhanced/Extended Simple Mail Transfer Protocol (ESMTP)number in the message’s header to check for legitimacy of email Exploring the Roles of the Client and Server in Email (1 of 3) ◉ E-mail can be sent and received in two environments o Internet o Intranet (an internal network) ◉ Client/server architecture o Server OS and e-mail software differs from those on the client side ◉ Protected accounts o Require usernames and passwords Exploring the Roles of the Client and Server in Email (2 of 3) Exploring the Roles of the Client and Server in Email (3 of 3) ◉ Name conventions o Corporate: john.smith@telus.com o Public: whatever@gmail.com o Everything after @ belongs to the domain name ◉ Tracing corporate e-mails is easier o Because accounts use standard names the administrator establishes Examining E-mail Messages (1 of 2) ◉ Access victim’s computer or mobile device to recover the evidence ◉ Using the victim’s e-mail client o Find and copy any potential evidence o Access protected or encrypted material ◉ Guide victim on the phone o Open and copy e-mail including headers ◉ You may have to recover deleted e-mails Examining E-mail Messages (2 of 2) ◉ Copying an e-mail message o Before you start an e-mail investigation ▪ You need to copy and print the e-mail involved in the crime or policy violation o You might also want to forward the message as an attachment to another e-mail address ◉ With many GUI e-mail programs, you can copy an e- mail by dragging it to a storage medium o Or by saving it in a different location Viewing E-mail Headers (1 of 5) ◉ Investigators should learn how to find e-mail headers o GUI clients o Web-based clients ◉ After you open e-mail headers, copy and paste them into a text document o So that you can read them with a text editor ◉ Become familiar with as many e-mail programs as possible o Often more than one e-mail program is installed Viewing E-mail Headers (2 of 5) ◉ Outlook o Double-click the message and then click File, Properties o Copy headers o Paste them to any text editor o Save the document as Outlook header.txt in your work folder Viewing E-mail Headers (3 of 5) Viewing E-mail Headers (4 of 5) ◉ Gmail o Click the down arrow next to the Reply circular arrow, and click Show original o Click Download Original link to open the “Opening original_msg.txt” dialog box o Click Open with Notepad (default)and click Okay o Save the file in your work folder with the default name ◉ Yahoo o Click Inbox to view a list of messages o Above the message window, click More and click View Raw Message o Copy and paste headers to a text file Viewing E-mail Headers (5 of 5) Examining E-mail Headers (1 of 2) ◉ Headers contain useful information o The main piece of information you’re looking for is the originating e-mail’s IP address o Date and time the message was sent o Filenames of any attachments o Unique message number (if supplied) Examining E-mail Headers (2 of 2) Examining Additional E-mail Files ◉ E-mail messages are saved on the client side or left at the server ◉ Microsoft Outlook uses .pst and .ost files ◉ Most e-mail programs also include an electronic address book, calendar, task list, and memos ◉ In Web-based e-mail o Messages are displayed and saved as Web pages in the browser’s cache folders o Many Web-based e-mail providers also offer instant messaging (IM) services Tracing an E-mail Message ◉ Determining message origin is referred to as “tracing” ◉ Contact the administrator responsible for the sending server ◉ Use a registry site to find point of contact: o www.arin.net o www.internic.com o www.google.com ◉ Verify your findings by checking network e-mail logs against e-mail addresses Using Network E-mail Logs (1 of 2) ◉ Router logs o Record all incoming and outgoing traffic o Have rules to allow or disallow traffic o You can resolve the path a transmitted e-mail has taken ◉ Firewall logs o Filter e-mail traffic o Verify whether the e-mail passed through ◉ You can use any text editor or specialized tools Using Network E-mail Logs (2 of 2) Understanding E-mail Servers (1 of 2) ◉ An e-mail server is loaded with software that uses e-mail protocols for its services o And maintains logs you can examine and use in your investigation ◉ E-mail storage o Database o Flat file system ◉ Logs o Some servers are set up to log e-mail transactions by default; others have to be configured to do so Understanding E-mail Servers (2 of 2) ◉ E-mail logs generally identify the following: o o o o o E-mail messages an account received Sending IP address Receiving and reading date and time E-mail content System-specific information ◉ Contact suspect’s network e-mail administrator as soon as possible ◉ Servers can recover deleted e-mails o Similar to deletion of files on a hard drive Examining Microsoft E-mail Server Logs (1 of 4) ◉ Microsoft Exchange Server (Exchange) o Uses a database o Based on Microsoft Extensible Storage Engine (ESE) ◉ Most useful files in an investigation: o .edb database files, checkpoint files, and temporary files ◉ Information Store files o Database files *.edb ▪ Responsible for MAPI information ▪ Messaging Application Programming Interface (MAPI) is a messaging architecture and a Component Object Model based API for Microsoft Windows. Examining Microsoft E-mail Server Logs (2 of 4) ◉ Transaction logs o Keep track of changes to its data ◉ Checkpoints o Marks the last point at which the database was written to disk ◉ Temporary files o Created to prevent loss when the server is busy converting binary data to readable text Examining Microsoft E-mail Server Logs (3 of 4) ◉ To retrieve log files created by Exchange o Use the Windows PowerShell cmdlet Get TransactionLogStats.ps1 -Gather ◉ Tracking.log o An Exchange server log that tracks messages ◉ Another log used for investigating the Exchange environment is the troubleshooting log o Use Windows Event Viewer to read the log Examining Microsoft E-mail Server Logs (4 of 4) Using Specialized E-mail Forensics Tools (1 of 3) ◉ Tools include: o o o o o o o o o o DataNumen for Outlook and Outlook Express FINALeMAIL for Outlook Express and Eudora Sawmill-Novell GroupWise for log analysis MailXaminer for multiple e-mail formats and large data sets Fookes Aid4Mail and MailBag Assistant Paraben E-Mail Examiner AccessData FTK for Outlook and Outlook Express Ontrack Easy Recovery EmailRepair R-Tools R-Mail OfficeRecovery’s MailRecovery Using Specialized E-mail Forensics Tools (2 of 3) ◉ Tools allow you to find: o o o o E-mail database files Personal e-mail files Offline storage files Log files Using Specialized E-mail Forensics Tools (3 of 3) ◉ After you compare e-mail logs with messages, you should verify the: o Email account, message ID, IP address, date and time stamp to determine whether there’s enough evidence for a warrant ◉ With some tools o You can scan e-mail database files on a suspect’s Windows computer, locate any e-mails the suspect has deleted and restore them to their original state Repairing Outlook Files ◉ A forensics examiner recovering e-mail messages from Outlook o May need to reconstruct .pst files and messages ◉ With many advanced forensics tools o Deleted .pst files can be partially or completely recovered ◉ Scanpst.exe recovery tool o Comes with Microsoft Office o Can repair .ost files as well as .pst files PRACTICE 35 Evtx Log Analysis 36