Forensic Artifacts & Analysis 1
advertisement
10/27/2014 Homework 05 Use The Sleuth Kit command line tools to analyze the provided DD image Generate a text file detailing the file system of the image Generate a text file detailing the attributes of the $MFT Generate a text file containing a full file listing of the image Generate a text file detailing the attributes of one of the allocated files Generate a text file containing a file listing of ONLY deleted files from the image Generate text files detailing the attributes of all deleted files Recover the deleted files from the image Sleuth Kit Wiki HINT - commands you’ll want to use: fsstat, ifstat, fls, ifind, istat, icat You can get info on any command by using the “-h” flag, e.g. fsstat -h FCM 760 | Fall 2014 | Lecture 6 Forensic Artifacts & Analysis 1 October 27, 2014 1 10/27/2014 Recap of FAT File Systems What is stored in the Volume Boot Record (VBR)? Name the two major structures of a FAT file system. What does the FAT table keep track of? What are the three values a FAT table entry can have? What do directory entries keep track of? What hex value denotes a deleted file/directory? If a directory is deleted what happens to its children? If a file is deleted, when do the previously assigned clusters get overwritten? What is the space between the logical end of a file and the end of the last cluster assigned to that file called? Recap of NTFS File Systems Why was NTFS created? In NTFS, everything is a ____________? What does the VBR contain? What is the main structure of NTFS? How many reserved entries are there at the beginning of the MFT? How big is a MFT entry? What is the first entry? How is data stored in a MFT entry? Name three MFT entry attributes. 2 10/27/2014 Recap of NTFS File Systems Explain resident vs. non-resident. What are the four timestamps that are maintained by NTFS? Give two situations where a file’s Creation Time will be updated. Name three things that happen when a file is deleted? The entry’s flag is changed to unallocated. The parent directory’s reference to the entry is removed. All allocated clusters are set to an unallocated state. What happens when an MFT entry is reassigned? Low-Level QC’ing The first step of every examination should always be to confirm the data space for each forensic image. Step 1: Analyze the Partition Table Sector offsets 446 – 509 of the MBR Ensure that all sectors are accounted for. Check manufacturer counts vs image counts EnCase, FTK Imager, sleuthkit (mmls), ProDiscover Basic 3 10/27/2014 Operating Systems What is an Operating System? The most important program on the computer. Acts like air traffic control. Resource allocation Memory/Hard Drive interaction Port/Socket tracking Provides a common software platform for other applications. Provides a way to communicate with hardware devices. Provides security protocols and protection. User accounts Access Control Microsoft Windows Windows 1.0 – 3.1 Windows XP Windows 95 Windows XP x64 Windows NT 4.0 Windows Vista Windows 98 Windows 7 Windows 2000 Windows 8 Windows ME Windows 10 (coming soon) 4 10/27/2014 Differences between Windows Versions Registry files Recent File location Recycle Bin (naming, INFO2 files, naming convention, etc…) User Folder structure Example: User registry file locations Windows 95 – User.dat stored in C:\Windows and C:\Windows\Profile\<username> Windows XP – NTUser.dat stored in C:\Documents and Settings\<username> Windows 7 – NTUser.dat stored in C:\Users\<username> Windows 7: Interesting Places Recycle Bin: C:\$Recycle.Bin Installed Programs: C:\Program Files C:\Program Files (x86) Program Data: C:\Program Data Restore Points: C:\System Volume Information Executed Program Info: C:\Windows\Prefetch 5 10/27/2014 Windows 7: User Folder User Data: C:\Users\<username>\... …\Desktop …\Documents …\Downloads …\Favorites …\Music …\Pictures …\Videos Junctions: Provided for backward compatibility A placeholder that points to another location Windows 7: User Folder - AppData User Data: C:\Users\<username>\AppData\... …\Local – machine specific application data or data that is too large to roam …\LocalLow – machine specific low-integrity application data Web browser plugins, etc… …\Roaming – used with domains; files in this folder will be available on any computer you log in to on the domain This area contains a wealth of information. 6 10/27/2014 Windows 7: User Folder - AppData Example: Chat Program Logs C:\Users\Dan\AppData\Roaming\Trillian\users\<username>\logs\AIM\Query\ Registry Files The registry is a hierarchical database that maintains settings for windows, applications, hardware, and users. Built-In Viewer: regedit.exe or regedit32.exe Windows 7 employs 4 system hives and 1 user specific hive SAM (Security Accounts Manager) – stores users’ passwords in hashed format SECURITY – links to the SAM and contains domain and local machine security settings SYSTEM – stores Windows settings, info about hardware, network, etc… SOFTWARE – stores application settings and additional Windows settings NTUSER.DAT – stores settings specific to the logged on user account Examination Tools: AccessData’s Registry Viewer, ProDiscover, EnCase, RegRipper 7 10/27/2014 Registry Files On a live system, the mounted hives are represented as follows: SYSTEM - HKEY_LOCAL_MACHINE\System SAM - HKEY_LOCAL_MACHINE\SAM SECURITY - HKEY_LOCAL_MACHINE\Security SOFTWARE - HKEY_LOCAL_MACHINE\Software NTUSER.DAT - HKEY_USERS\<User SID> Registry Files Locations (Windows 7): C:\Windows\System32\config\<SAM\SECURITY\SOFTWARE\SYSTEM> C:\Users\<username>\NTUSER.DAT “Hives” are made up of “Keys” which store “Values” and their “Data” Keys have a property called “LastWrite” which is similar to the last modification time of a file/directory. 8 10/27/2014 Registry Files: SAM What can you find in the SAM registry file? User Names and their associated SIDs: SAM\SAM\Domains\Account\Users\Names\ Value under user key tells you which folder to look in under the “Users” Key and is the user SID in Hex SID folder tells you How many times the account was logged into Last logon time Last password change time Expiration time Etc… Registry Files: SYSTEM ControlSets Instances of configuration information Can be multiple (duplicates, unique, mirror images) Need to make sure your looking at the current ControlSet Finding the current ControlSet Look at the following value: SYSTEM\Select\Current 9 10/27/2014 Registry Files: SYSTEM What can you find in the SYSTEM registry file? Computer Name: SYSTEM\<currentControlSet>\Control\ComputerName\ComputerName\ Shutdown Time: SYSTEM\<currentControlSet>\Control\Windows\ Time Zone Information: SYSTEM\<currentControlSet>\Control\TimeZoneInformation Network Interface Information: SYSTEM\<currentControlSet>\services\Tcpip\Parameters\Interfaces Shared Folders: SYSTEM\<currentControlSet>\services\LanmanServer\Shares USB Devices: SYSTEM\<currentControlSet>\Enum\USBSTOR\ Mounted Devices: SYSTEM\MountedDevices Registry Files: SOFTWARE What can you find in the SOFTWARE registry file? Windows Installation Info: SOFTWARE\Microsoft\Windows NT\CurrentVersion Network Interfaces: SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards Startup Programs: SOFTWARE\Microsoft\Windows\CurrentVersion\Run (other locations) Recent Files (MRUs): SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 10 10/27/2014 Registry Files: NTUSER.DAT What can you find in the NTUSER.DAT registry file? Typed URLs: NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs Mounted Drives: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 Recent Docs: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs Recently Run Programs: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU Wallpaper Setting: NTUSER.DAT\Control Panel\Desktop Printers: NTUSER.DAT\Printers\Settings Registry Tools AccessData’s Registry Viewer ProDiscover Basic RegRipper 11 10/27/2014 Thumbs.db Files Windows stores thumbnail versions of image files to speed up the display of images in folders. Files are only created when thumbnail view is used. Windows 7 stores 4 Thumbs.db files per User Account: Path: C:\Users\<username>\AppData\Local\Microsoft\Windows\Explorer\... thumbcache_32.db thumbcache_96.db thumbcache_256.db thumbcache_1024.db The number denotes the height of the image thumbnail. Thumbs.db Files JPG files can be carved from Thumbs.db files. Thumbs.db files are hidden so the user may not know about them. Why would this be important? What happens when a user deletes pictures from a folder? thumbcache-viewer.exe 12 10/27/2014 LNK Files LNK files are Windows shortcut files created under several different circumstances: A user double-clicks a file or starts an application An application is installed A user creates a shortcut file. LNK files can provide a lot of forensically important data. Each LNK has its own MAC timestamps which can be important: E.G.: if an application is installed on X date and a LNK file is created on a later Y date, it shows that the user knew the application existed and intent of use. LNK Files The contents of LNK files will tell you the following about its related target file: Path to the target file/directory MAC times for the target file/directory at the time of use of the LNK file Size of the target file Serial number of the volume the target is stored on Target attributes (read only, hidden, system ,etc…) Path: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\ Again, why is this information important? LNK file parser utility 13 10/27/2014 Prefetch Files (XP and later) Prefetch files cache commonly used file/disk locations so that applications can start up faster for the user. File name includes the application’s executable name + a hash value of the path from which the executable was run. This means that if you run an executable from multiple locations, there will be a different prefetch file for each location. Prefetching can be turned off. You can check the registry to see whether this is true or not. SYSTEM\<currentControlSet>\Control\Session Manager\Memory Management\PrefetchParameters Prefetch Files (XP and later) Prefetch files store the following: Number of times the app has been launched Last time the app was run Path to the application that was run Prefetch parser utility 14 10/27/2014 Software Tools FTK Imager: http://www.accessdata.com/support/product-downloads AD Registry Viewer: http://www.accessdata.com/support/product-downloads ProDiscover Basic: http://www.techpathways.com/demo.htm RegRipper: http://regripper.wordpress.com/ thumbcache.viewer: https://code.google.com/p/thumbcache-viewer/ Windows File Analyzer: http://mitec.cz/wfa.html Questions? Start thinking about project topics! 15 10/27/2014 Homework 06 Use the following tools to examine files on your computer: FTK Imager RegRipper AD Registry Viewer thumbcache.viewer Windows File Analyzer Homework 06 Registry Analysis: Document the interesting values for the locations referenced in this presentation. Use RegRipper to analyze each registry hive and locate the same locations that we referenced Analyze your Thumbs.db files. If you don’t have any entries, create a folder with pictures in it and turn on thumbnail view for different sizes. Analyze 5 LNK files Analyze 5 prefetch files Provide screenshots Provide reports as text files (only referenced items) Export 10 thumbnail images Provide reports Provide reports RAR or ZIP the whole thing up and email to me 16
