Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

ForensicsFinalProject

advertisement 
10101010110010101010101010101
01010100101011010101010100101
01001010010101010101010101010
10101010101010101010101010101
Forensics Final Project
00100010101101010110101010101
ISYS 590R, Team B
00101010010011111001010000011
11101010101010010101010101010
10101000101011011000101011010
10111000101010101100001010010
11000011010100010001110101000
10101010101010101010101000101
01010101100010101010101010101
01010101010110000101010101011
11001001010101010101010010001
01010100100101101100001010101
01010101000101010011011001001
3/31/2008
Craig Marshall, Casey Jackman
Forensics Final Project
Contents
General Approach ......................................................................................................................................... 3
Investigative Strategy................................................................................................................................ 3
Procedures ................................................................................................................................................ 3
Forensics Tools Used ................................................................................................................................. 3
AccessData FTK ..................................................................................................................................... 3
Live View ............................................................................................................................................... 4
VM Ware Server .................................................................................................................................... 4
Google Maps/Street View ..................................................................................................................... 5
WhitePages.com ................................................................................................................................... 5
Password Recovery Tool Kit (PRTK) ...................................................................................................... 5
Cain and Able (Password Cracking) ....................................................................................................... 6
Motobit.com AIF Decoder..................................................................................................................... 6
Most Interesting Findings ............................................................................................................................. 6
Audit Report .............................................................................................................................................. 6
Phone Directory ........................................................................................................................................ 7
Email Information ..................................................................................................................................... 8
AIF Decode .............................................................................................................................................. 10
Excerpt from Monthly Technology Newsletter....................................................................................... 11
Timeline....................................................................................................................................................... 12
Timeline Event Table ............................................................................................................................... 13
Timeline Diagram .................................................................................................................................... 15
Difficulty in Investigative procedures ......................................................................................................... 16
Drive Profile ................................................................................................................................................ 16
User Profile ................................................................................................................................................. 18
Company Profile.......................................................................................................................................... 18
General Approach
Investigative Strategy
The investigation was initially divided into four categories of inquiry. First, general disk information was
explored to provide context for the investigation. Second, it was important to identify the user(s) of the
disk and gather as much information as possible from Operating System Accounts. Third, to establish
nature of the data written and read on the disk, all programs and applications installed on the drive
were located. Fourth, using information from the previous areas the actual document and files were
reviewed searching for relevant data. Finally, all relevant information from the four areas of inquiry was
compiled into a standard timeline of events.
Procedures
Due to the general nature of the search, we began the investigation using the DataAccess Forensic Tool
Kit looking for general disk information such as Operating System, drive size, timestamps and areas of
interest (PWL files, etc). After acquiring general information, individual files and directories were
searched for relevant data about the case. The drive was then copied and loaded into a virtual machine,
for further hands-on investigation. We the assistance of the virtual machine, applications were opened
to view recent documents, current and archived emails and messenger information. This data was
categorized in relevant and non relevant information to build a timeline and extract interesting findings.
Forensics Tools Used
Many Tools were used for various parts of the investigation. The following tools provided assistance in
extracting relevant information.
AccessData FTK
AccessData Forensics tool kit was our primary source of information for the investigation. This
application was used to create our case, organize important files into evidence, and through search
through document on the drive. FTK provides a powerful filter engine to allowing users to query key
words and file types. It was especially helpful in viewing document file in older formats.
Liveview
Liveview is an open source program designed to convert disk images into virtual machines that can be
opened using VMware server. It can operate without making any changes to the disk image itself.
VMWare Server
We used VMware server to run our virtual machine created in Liveview. This was especially helpful in
interpreting the OS configurations and data that needed specialized programs to open them.
The following are screen shots of the Windows 95 login and a live desktop view.
Google Maps/Street View
Upon discovering the work address the drive was originally located; Google Maps was used to identify
the location the work office. This tool provided an exact location of the Utah Community Credit Union
branch were the Computer was once in operation.
WhitePages.com
It was discovered that many users had credentials on the recovered drive. WhitePages.com was used to
attempt to find more information about said users including phone numbers, spouses and home
addresses.
Password Recovery Tool Kit (PRTK)
We used PRTK to try and crack the windows passwords of the users on the system. However we were
unsuccessful because of time constraints.
Cain and Able (Password Cracking)
Cain and able is a password cracking program by Oxid. It is what we used to try and crack the windows
user passwords.
Motobit.com AIF Decoder
An AIF file is an encrypted file used to store exported outlook express configurations and passwords.
Motobit offers an online decoder written in asp. It is quick and easy to use.
Most Interesting Findings
Audit Report
A sample from the Audit Report emailed to Carol Goldsberry
PROCESSOR
OFFICER
ACCT #
NAME
AUGUST 2000 AUDIT REPORT
BLC
BLC
1112929.:
JACOB
GUARANTY AGREEMENT NOT
WITNESSED
NO RENT OR MORTGAGE INDICATED
KRP
KRP
1099277.:
CURTIS
3 BOXES ON NOTE NOT CHECKED
CGL
NMR
1070718.:
ROBINSON
ITEMIZATION OF THE AMOUNT
FINANCED
NOT COMPLETE
CGL
DED
1068374.:
CHRISTIAN
GUARANTY AGREEMENT NOT
WITNESSED
INCOME NOT VERIFIED ON CRI
NO RENT OR MORTGAGE INDICATED
CGL
NMR
476375.:
HANSEN
3 BOXES ON NOTE NOT CHECKED
NOTE NOT WITNESSED
APK
APK
1108478.:
PITTS
ITEMIZATION OF THE AMOUNT
FINANCED
NOT COMPLETE
GUARANTY AGREEMENT NOT
WITNESSED
INCOME NOT VERIFIED ON CRI
APK
APK
1091768.:
OSAKI
NOTE NOT WITNESSED
BRB
SHH
1117526.:
CARLISLE
NOTE NOT WITNESSED
GUARANTY AGREEMENT NOT
WITNESSED
BRB
MSB
344201.:
CHRISTOPHERSN
3 BOXES ON NOTE NOT CHECKED
NO RENT OR MORTGAGE INDICATED
LWB
SHH
1115882.:
MILLER
NOTE NOT WITNESSED
KEM
SHH
1114668.:
SEAMONS
NOTE NOT WITNESSED
Phone Directory
A sample of Phone Directory discovered from UCCU intranet.
Email Information
With the drive loaded into a virtual machine, user account information was easily viewed in the Outlook
Express. This provided detailed information about SMTP server information and POP3 server
information. Outlook Express files were also copied and loaded onto a windows XP Outlook Express
client for eased viewing.
AIF Decode
This table represent Carol Goldsberry’s Outlook Express account configuration. This data includes ports
and servers used to send and receive mail.
Excerpt from Monthly Technology Newsletter
The following email was discovered in Carol Goldsberry’s Outlook Express inbox. The letter is notice of a
New Authorization System. Sensitive Data is shared regarding authentication credentials for DataSafe.
Subject: New Authorization System
On Monday, October 2, the credit union will begin using a new authorization system within DataSafe.
What will this mean to you? When accessing DataSafe (aka USERS or SmartTerm) you will be prompted
for your Teller Number and Password. Once logged into DataSafe, you will only be prompted for a
password when an override is needed for a transaction.
Why are we making the change? Actually, we used this "New" authorization system several years ago
for a short time. First, it provides better security and control. Second, it is a requirement for the new
Lending Navigator program that we will begin using on October 2.
If you haven't already taken the opportunity to test the new system, we urge you to do so before
October 2. You can access it by enter BYUALT at the USERNAME prompt when logging into DataSafe.
Enter TEMP0 (TEMP "zero") as the password. Your Teller number remains the same and your password
is your last name. This is a test directory, so feel free to enter as many transactions as you would like to
ensure that it will work for you when we go live. Report any problems to James Hill (ext. 462).
Timeline
A timeline was created by gathering data about the drive coupled with automatic timestamps and/or
self documented dates. The timeline is constructed with information from 6/27/1996 (the first write
data discovered on the drive) to 2/10/2003 (when the computer was shut down for the last time).
Significant events found from application installations, users’ data, company data, and general drive
information were selected to build the timeline.
Timeline Event Table
The following table contains dates coupled with relevant events discovered on the disk.
Date
Event
6/27/1996
Creation date of First file on disk: various OLE streams
7/7/1997
Windows Install: Conclusion based on the creation dates of core OS
files
12/24/1997 Strange cartoon of naked woman is created on drive
10/14/1998 Novell installed
1/6/1999
Softstuff screen saver installed
5/17/1999
Pervasive SQL installed
12/14/1999 JAMESH account created- James Hill (Systems Admin)
12/14/1999 Nada Car guide installed
12/20/1999 SHARONC account created. Sharon Child (Title Clerk)
3/21/2000
CAROLG account created. Carol Goldsberry (Construction Loans)
4/12/2000
MICHELLE account created
4/25/2000
DAVEP account created- Dave Purdon (Network Admin)
8/4/2000
UCCU starts new email System
8/4/2000
Carol begins using Outlook Express
9/14/2000
Year 2000 audit report is received in an email
10/2/2000
UCCU begins new Authorization System
10/18/2000 Jim and Alise Wise Christmas letter/email received
10/23/2000 Account created. Karen Peterson (Construction Loans)
12/8/2000
UCCU has their Christmas party at Aspen Grove
12/18/2000 Date of last sent email
12/21/2000 Brian L. Goldsberry Christmas letter/email received
1/12/2001
Date of last email received
1/31/2001
Date of last email in Outbox
3/19/2001
Carol Golderberry accesses CNN.com
2/20/2001
Carol Golderberry accesses insideUCC.com
3/21/2001
Carol Golderberry logs in for last time
3/21/2001
Email is last accessed
2/10/2003
ADMIN account created
2/10/2003
Computer shutdown for last time
Timeline Diagram
Difficulty in Investigative procedures
Because much of the data from Utah Community Credit Union is stored on network drives, we were
unable to access some documents.
Can’t find f:\apps\wincar\userdata\nadauser.mdb invalid path or network server down
Also, due to time constraints, we were unable to crack passwords for some Windows 95 User accounts.
This was not detrimental to our investigation because we were able to discover an administrator
account username and password.
Drive Profile
The following profile was created with information on the drive image.
OPERATION SYSTEM: Windows 95
ADMIN USERNAME : admin
ADMIN PASSWORD : admin
DRIVE SIZE: 1.5GB
FIRST KNOWN OPERATION D ATE : 6/27/1996
LAST KNOWN OPERATION DATE : 2/10/2003
SIGNIFICANT APPLICATION INSTALLATIONS: Pervasive SQL, Nada Car Guide, Novell Client, Outlook Express
USED USER ACCOUNTS : UCCU, JDW, DENZILD, JOSEPHW, JOEW, CAROLG, CONNIEH, ETC
[Password Lists]
UCCU=C:\WINDOWS\UCCU.PWL
JDW=C:\WINDOWS\JDW.PWL
DENZILD=C:\WINDOWS\DENZILD.PWL
JOSEPHW=C:\WINDOWS\JOSEPHW.PWL
JOEW=C:\WINDOWS\JOEW.PWL
CAROLG=C:\WINDOWS\CAROLG.PWL
CONNIEH=C:\WINDOWS\CONNIEH.PWL
LAROSEH=C:\WINDOWS\LAROSEH.PWL
SAUNDRAG=C:\WINDOWS\SAUNDRAG.PWL
JAMESH=C:\WINDOWS\JAMESH.PWL
SHARONC=C:\WINDOWS\SHARONC.PWL
MICHELLEM=C:\WINDOWS\MICHELLE.PWL
DAVEP=C:\WINDOWS\DAVEP.PWL
KARENP=C:\WINDOWS\KARENP.PWL
User Profile
The following profile was created with data from Windows Accounts, sent and received emails, user
documents and drive information.
FULL NAME: Carol Goldsberry
POSITION: Construction Loan Specialist
USERNAME : carolg
EMAIL PASSWORD: carolg
EMAIL ADDRESS : carolg@uccu.com
WORK PHONE NUMBER: (801) 223 7625
Company Profile
The following profile was created with data from Windows Accounts, sent and received emails, user
documents and drive information.
COMPANY NAME: Utah Community Credit Union
COMPANY BRANCH : River Woods
BRANCH PHONE NUMBER: (801) 223 7656
COMPANY DESCRIPTION: Credit Union providing financial services and information
BRANCH ADDRESS : 188 W. River Park Drive Provo, UT 84603
Related documents
How to start Whitepins - AMAS-Team
How to start Whitepins - AMAS-Team
Slide 1
Slide 1
Example: Constructing a PWL Model
Example: Constructing a PWL Model
Edlio PowerPoint - Hemet Unified School District
Edlio PowerPoint - Hemet Unified School District
CU*BASE Access Security Policy SAMPLE for use by self
CU*BASE Access Security Policy SAMPLE for use by self
Log on to flinders.edu.au/setup 2. Enter your FAN & Password
Log on to flinders.edu.au/setup 2. Enter your FAN & Password
Homework Year 7 Project Learning - Cliff Park Ormiston Academy VLE
Homework Year 7 Project Learning - Cliff Park Ormiston Academy VLE
Project Kick Off Meeting
Project Kick Off Meeting
Data Plotting and Curve Fitting in MATLAB
Data Plotting and Curve Fitting in MATLAB
Factoring Strategy - Partick Housing Association
Factoring Strategy - Partick Housing Association
Implementing Percent within Limits for Hot Mix Asphalt
Implementing Percent within Limits for Hot Mix Asphalt
the FAQs - Thermo Fisher Scientific
the FAQs - Thermo Fisher Scientific
Download
advertisement