Digital Forensics Workbook: Hands-on Activities in Digital Forensics [1 ed.] 978-1517713607

Citation preview

Digital Forensics Workbook

Michael K. Robinson

Copyright © 2015 Michael K. Robinson Library of Congress Catalog Number 2015917435 CreateSpace Independent Publishing Platform North Charleston, South Carolina ISBN: 1517713609 ISBN-13: 978-1517713607 All rights reserved. No parts of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, the author shall not have any liability to any person or entity with respect to any loss or damage caused or alleged be caused directly or indirectly by the information contained in it.

Dedicated to Kirby

CONTENTS Preface

vii

Acknowledgments

ix

1

Introduction

1

2

Software Write Blocking

7

3

Creating Forensic Images

11

4

File System Identification

25

5

Mounting Forensic Images for Scanning

31

6

Recovering Files from Forensic Images

43

7

Artifacts in the Registry

61

8

Hashing

73

9

File Signature Analysis

87

10

File Analysis

91

11

Internet History

101

12

E-mail Header Analysis

107

13

Prefetch Files

111

14

Shortcuts/Link (.lnk) Files and Jump Lists

115

15

Thumbnail Caches

123

16

GREP Searches

131

17

File Carving

137

18

Timestamps and Timelines

153

19

Recovering Passwords

163

20

Mounting Images as Virtual Machines

173

21

Memory Acquisition and Analysis

179

22

Network Traffic

191

23

Mobile Apps and Data

211

24

Answers

221

About the Author

239

Index

241

Digital Forensics Workbook

PREFACE Digital forensics is constantly evolving to keep up with changing technology: hard drive storage capacities are increasing; mobile devices are more powerful, contain more data, and have new methods of communication, i.e., app-to-app data transfers; an ever increasing amount of data is being transmitted and stored in the Cloud and on social networking sites. The field of digital forensics must evolve to address these changes. In response to these situations there have been: advances in automation to assist in processing large volumes of data, new research is being performed to analyze new apps and the latest operating systems, and new procedures are being developed to address Cloud-based systems. There are many talented digital forensic researchers and examiners accepting the challenge to improve the industry. Yet with all of these changes it is still necessary for digital forensic examiners to possess a core set of competencies – a foundation upon which to build new techniques to solve new problems. This foundation lays the framework for digital forensic examiners to conduct analyses and draw sound conclusions. Examiners new to the field should learn the techniques and procedures, which senior examiners take for granted. Seasoned examiners should refresh their skills with current versions of tools so their skillsets can remain sharp. One of the more efficient and engaging ways to develop or refresh these skills is through hands-on activities…and that brings us to this book. This workbook is filled with activities for digital forensic examiners to gain hands-on practice acquiring and analyzing data. It will allow them to focus on the data so they can later conduct in-depth analysis, i.e., add interpretation to raw data, not just become tool dependents. Examiners still need to learn how the systems they analyze operate and how data came into existence on those systems. The workbook was designed to augment existing learning, whether it be formalized academic courses, industry training classes, on-the-job learning, or independent studying. Many of the topics presented here have been incorporated into various curriculums and the activities in the workbook will find applicability in any of them. As topics are covered in those programs, readers can augment their understanding by completing complementary exercises contained here. The workbook can be used formally as a textbook or it can serve as a practice book to augment existing material. The workbook is not meant to be exhaustive; however, it is meant to address a wide variety of topics. The topics were arranged logically so they could follow a pattern resembling a forensic investigation. The book starts with acquiring digital evidence, moves into recovering key data files, and then addresses the capture and analysis of various artifacts. The book then moves into examining network traffic, memory, and mobile devices. In all, there are over 60 hands-on activities in this workbook for digital forensic examiners to perform. The goal of the book is to provide sufficient hands-on learning activities so the reader can then apply them in dayto-day work and start to focus on conducting analyses of recovered data. There any many approaches to analyzing digital artifacts. This workbook uses over 40 different tools, most of which are freely available. While the tools used in these activities have been found very useful, the appearance of any tool in the workbook is not meant to serve as an endorsement. As with any forensic tool, the ones used here should be tested and the results should be verified and shown to be repeatable before using in cases. May you find the workbook enjoyable!

vii

Digital Forensics Workbook

ACKNOWLEDGMENTS

The digital forensics community is a very collaborative one. If it was not for the hard work of talented researchers and developers, who were willing to share their tools freely, this would be a very different field. This extends from the seasoned programmer, who creates very refined tools with stylish interfaces, all the way to down to the first time Python scripter and EnScript writer. Their work has allowed many examiners to perform complex, repetitive tasks with relative ease and gives examiners the time to focus on conducting analysis of recovered data. In a sense, this book is as much theirs as it is mine. In addition to tool creators, I have had the fortune of working with a few very smart and gifted individuals, who were kind of enough to share their knowledge. They did not feel as if knowledge was to be kept secret; nor did they feel as if they had to corner the market on knowing a tool, technique, or procedure. None of us were born with a priori knowledge of digital forensics. We learn by inquiring, researching, testing, and sharing. Lastly, there are those individuals, who have the uncanny ability to bring out the best in people – to inspire them to be more tomorrow than they are today. These include people such as Joseph McKinney, Penn Martin, Maria Howell, Chris Taylor, Ron McGuire, and Katie Herritage. It is people such as these that inspire people like me to write books and share knowledge. Thank you.

ix

1 INTRODUCTION The Digital Forensics Workbook provides a variety of exercises for those studying or working in the field of the digital forensics. The objective of the workbook is to provide hands-on activities in recovering and analyzing various forensic artifacts. Completing these activities should help establish a foundation for continued work in the area. The chapters were arranged in a logical order, because some topics are foundational to others, e.g., forensic acquisitions should be covered before the retrieval of files from forensic images, file system identification should be performed before analyzing timestamps and conducting file carving, and so forth. While organizationally it makes sense to list the materials in this order, readers can complete the activities from the chapters in any order they feel is appropriate. Chapter Layout Each chapter is arranged in the following manner: • There is a brief narrative to orient the reader with respect to the topic. • There are one or more hands-on activities, which include: o An objective for each activity. o A list of the tools needed to complete each activity. o Detailed instructions on how to complete each activity. o A list of results for each activity so the reader can compare his/her results against those presented in the workbook. • Additional exercises are provided in Chapters 4-19 and 21-23 with answers to the questions in Chapter 24. Activities The following is a list of the activities presented in the workbook by chapter.

1

Chapter 2 This chapter introduces write blockers and includes an activity on modifying the Windows Registry to serve as a software write-blocker. Chapter 3 Forensic acquisitions of media are covered in this chapter. There are activities on: 1. Conducting an acquisition of a locally attached device with FTK Imager and reviewing the details in the verification file. 2. Conducting an acquisition with dd. 3. Performing a remote acquisition with dd and netcat. Chapter 4 Chapter 4 uses fsstat from The Sleuth Kit to identify the file system and volume information contained within a forensic image. Chapter 5 This chapter provides activities on mounting a forensic image as a readable drive so it can be scanned with third-party tools. Activities include: 1. Mounting a forensic image with OSFmount and scanning the mounted image with anti-virus software. (WARNING: This activity contains malware.) 2. Mounting a forensic image with FTK Imager and scanning the image with Sysinternals’ Autoruns for items, which launch on a system’s startup, and identifying suspicious files. Chapter 6 Chapter 6 has activities related to recovering files from forensic images so the extracted files can be examined manually or with third-party tools. Activities in this chapter include: 1. Recovering files from a forensic image with EnCase. An additional demonstration is provided on mounting compound files within EnCase. 2. Recovering files from a forensic image with Autopsy. 3. Recovering files from a forensic image with FTK Imager. Chapter 7 This chapter broaches the topic of recovering various artifacts from the Windows Registry. Activities include: 1. Loading the SOFTWARE hive from a recovered system into a running system with RegEdit and then identifying data related to legal notices and installation information. Timestamps are converted for readability. 2. Recovering a list of services and TCP/IP information, i.e., network address information, from the SYSTEM hive and user account information from SAM file with MiTeC Windows Registry Recovery. 3. Retrieving various data from NTUSER.dat, such as Typed URLs, Typed Paths, MRU entries, and persistent autorun keys, and the SYSTEM hive, such as USBSTOR entries, using RegRipper.

2

Digital Forensics Workbook

Chapter 8 File and evidence hashing are covered in Chapter 8. Activities in this chapter include: 1. Using HashCalc to perform multiple hashes of a single file to prove or disprove it is identical to another. 2. Calculating hashes across multiple directories with HashMyCalc to quickly search and identify matches of files based on hashes. 3. Hashing a forensic image file, i.e., .E01 file, and hashing the evidence contained within it using HashCalc and FTK Imager, respectively, to note the differences. 4. Searching for files within a forensic image by creating a hash set within Autopsy. Chapter 9 Chapter 9 addresses file signature analysis with an activity involving WinHex, where files are mounted, the file signatures are retrieved, and then the file signatures are compared against those listed online. Chapter 10 Analysis of the metadata contained within files is covered in Chapter 10. Activities used for this topic include: 1. Renaming and then retrieving data from within Microsoft Office files. 2. Extracting and reviewing EXIF data from various digital photos. Chapter 11 Chapter 11 focuses on recovering artifacts from various browsers to identify a user’s Internet history. Activities include: 1. Analyzing the history and cache of Google Chrome using ChromeHistoryView and ChromeCacheView and identifying browser redirects based on HTTP codes. 2. Examining the history and cache of Mozilla Firefox using MozillaHistoryView and MozillaCacheView and identifying partially delivered server content based on HTTP codes. 3. Reviewing simultaneously the content of four browsers on a running system using BrowserHistoryView. Chapter 12 E-mail header analysis is performed in Chapter 12 with the following activities: 1. Analyzing Yahoo! headers with attention paid to verification of sender, receiver, and timestamps 2. Parsing AOL headers, where webmail clients were used and the source IP address was captured in the header 3. Examining Gmail headers with multiple hand-offs between mail servers 4. Analyzing Microsoft Office 365 headers, where scanning services have been used Chapter 13 The various data elements stored within a Windows Prefetch file are extracted using WinPrefetchView.

3

Chapter 14 In Chapter 14 user activity is analyzed by examining both shortcuts, also known as .LNK files, and Jump Lists. Activities include: 1. Extracting data from shortcuts using Windows File Analyzer. 2. Examining the data contained with various Jump Lists using JumpLister. Chapter 15 Various thumbnail caches are analyzed in Chapter 15. Activities include: 1. Analyzing thumbs.db, which was taken from a Windows XP computer, using Windows File Analyzer. 2. Examining thumbnail caches contained in Windows 7 thumbcache files and then mapping files the entries against the Windows Desktop Search Index database using OSForensics. 3. Retrieving thumbnail caches stored within Microsoft Office files, which were recovered from a Mac. Chapter 16 Grep searches and Regular Expressions are introduced in Chapter 16. Activities in this chapter include: 1. Literal searches for strings contained within web logs using Astro Grep. 2. Regular expression searches for various terms contained within web logs using Astro Grep. 3. Creating search strings for common data elements, such as phone numbers, credit cards, and e-mail addresses. Chapter 17 Chapter 17 moves into the area of carving files from unallocated space. Activities include: 1. Performing manual carving with FTK Imager using header and footer information. 2. Conducting automated file carving with Carver Recovery. 3. Extracting significant strings using Bulk Extractor and identifying potential files for recovery. Chapter 18 Timestamps and timeline analysis are addressed in Chapter 18. The activities in this chapter include: 1. Constructing a brief timeline of events regarding the saving of a Microsoft Word file using timestamps from multiple sources. 2. Examining event logs for a specified time period, when a user was logged into a system. 3. Comparing a timeframe against two event logs: the security and system event logs. 4. Extracting multiple timestamps from multiple input files using log2timeline. Chapter 19 Chapter 19 has readers crack hashes of passwords using Ophcrack on Kali Linux. Chapter 20 A demonstration is provided on how to mount a forensic image with FTK Imager so it can be used as a virtual machine disk (vmdk) for a VirtualBox Virtual Machine.

4

Digital Forensics Workbook

Chapter 21 Memory capturing and analysis are performed in Chapter 21. Activities in this chapter include: 1. Using Memoryze to capture memory and FTK Imager to analyze the subsequent memory file to retrieve the contents and password of an encrypted file. 2. Capturing memory from a running computer using FTK Imager Lite to reduce the footprint on disk. 3. Analyzing the data contained within memory captures using Volatility including OS identification, running processes, loaded DLLs, and network connections. Chapter 22 In Chapter 22 network traffic is analyzed using Wireshark. Activities include: 1. Analyzing ICMP-PING traffic. 2. Examining a TCP Three-way handshake. 3. Analyze a DNS query and response. 4. Applying various filters to Wireshark to make capturing and analysis more manageable. 5. Retrieving web server footprinting information from a TCP stream. 6. Recovering files from captured network traffic. 7. Consulting archives on various sites and search engines for cached pages of a web site. 8. Analyzing traffic associated with typical Nmap scans. Chapter 23 The chapter on mobile apps and data focuses on analyzing data after and acquisition has been performed of a mobile device. There are activities on: 1. Examining the packages.xml file from an Android phone. 2. Analyzing a SQLite database from an app, which performs app-to-app communication. 3. Reviewing the data contained within an iOS plist. 4. Analyzing a malicious Android app. (WARNING: This activity contains malware.) Chapter 24 This chapter contains answers to the additional exercises found at the end of each chapter. Web site The datasets to be used with the examples and activities presented in the book can be retrieved from www.digitalforensicsworkbook.com. The web site will contain additional information as it becomes available and any errata, as needed. Datasets All of the datasets used in the hands-on activities can be downloaded from the web site listed above. The password for the compressed files found on the site is hands-on. E-mail Address The following e-mail address will be used in conjunction with the workbook: [email protected] 5

6

Digital Forensics Workbook

2 SOFWARE WRITE BLOCKING One of the foundations of forensic examinations of digital media is preserving the integrity of the media during the collection and acquisition processes. Typically, hard drives are connected to hardware write blockers, which prevent write commands from being sent to the media. Not everyone has access to or can afford a hardware write blocker. As a result, software write blockers are used. Starting with Windows XP, Service Pack 2, it is possible for a user to add a Registry entry to block write access to devices connected to USB ports. While dead box forensics is a common activity in many labs, there is often a requirement to capture volatile data before removing a hard drive for processing. During live forensics or live acquisitions, there is limited interaction with suspect media so data such as the contents of RAM can be acquired. All interactions with the system are documented so an examiner’s methods can be identified and defensible. After volatile data is collected, media can be connected to a write blocker for acquisition. In some instances, a computer cannot be powered down or the media cannot be removed for imaging. In these situations, a boot disk (either a USB flash drive or a CD/DVD) is used and that software acts as both an imaging tool and a write blocker.

7

Activity 2-1: Software Write Blocking In this activity you will modify the Windows Registry to prevent data from being written to a USB storage device. Note: The Registry entry must be added before the device to be acquired is connected to a USB port. The Registry change is not retroactive, i.e., if a user has already connected a particular storage device via the USB port, then the user will be able to read and write to that storage device even after the Registry change is made. To disable the write-block feature, a user can delete the Registry entry or change the dword to 00000000. When making this change to the Registry, the entry is case sensitive. Tools: Product: Manufacturer: Web site:

RegEdit Microsoft Corporation https://msdn.microsoft.com/en-us/library/windows/desktop/ms724871(v=vs.85).aspx

Instructions: 1. Open a command prompt on a Windows computer. 2. At the command prompt type the following command to launch the Registry Editor and press the “Enter” key: regedit 3. When the Registry Editor launches, navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ 4. Right-click on “Control,” select “New,” and then select “Key.” 5. Type the name “StorageDevicePolicies” (without spaces and without quotes) and press the “Enter” key. 6. Right-click on the white/blank window pane on the right. 7. From the pop-up menu, select “New” and then “DWORD (32-bit) Value.” 8. Change the name from “New Value #1” to “WriteProtect” (without spaces and without quotes) and press the Enter key. 9. Double-click on the value and change the value from 0 to 1. 10. Click the “OK” button.

8

Digital Forensics Workbook

11. The new Registry key should appear as shown in Figure 2-1.

Figure 2-1: WriteProtect Registry key 12. Close the Registry Editor. 13. Insert a new flash drive into the USB port on the computer and test the ability to read/write to the device.

9

10

Digital Forensics Workbook

3 CREATING FORENSIC IMAGES Conducting forensic acquisitions is not glamorous. It is not as exciting as performing analysis or finding key evidence, but without proper acquisitions, everything else would be for naught. Acquisitions represent a cornerstone in digital forensics. It is imperative acquisitions be done correctly and that computer forensic examiners explain what happens, when a forensic image is created. Creating a forensic image is a fairly straightforward process. One of several approaches can be taken towards acquiring media: • Media is removed from a computer that is already powered off. The media is connected to a write blocker and then the write blocker is connected to a trusted computer, which is running software to make the image. • When media cannot be removed from a computer or server, the host is rebooted using a live CD/DVD (or a USB thumb drive). The CD/DVD contains software used to make the forensic copy. The image can be copied to the USB port or out the network adapter. • A remote agent can be installed on a running computer and the agent forensically acquires data and pushes it out an active network connection to another computer waiting for the data. When original media is acquired, the original media is hashed. At the conclusion of the acquisition, the image is also hashed. The resultant values must match the original hashes, which verifies the authenticity of the copy. There are a variety of tools that can be used in acquiring media, including: • EnCase • FTK • FTK Imager/FTK Imager Lite • Helix/Helix Pro • dd/dc3dd • ProDiscover Each tool will perform the basic functions, either a bit-for-bit copy in the case of a physical acquisition, or a file copy in the case of a logical acquisition. Some tools have user-friendly interfaces. Some may offer compression and encryption algorithms.

11

The output of forensic acquisition tools may vary. Most popular forensic tools can read images stored in different formats. Additionally, each format has subtle differences. Standard file formats for forensic images include: • E01 – Expert Witness compressed format, which is used by Guidance Software and often called the EnCase evidence file format. • Ex01 – A new variation of the E01 format introduced by Guidance Software, which offers encryption and compression options. This was released with version 7 of EnCase. • SMART – a file format to work with a software utility for Linux. • dd/RAW – An exact copy of the media. The destination that holds the resultant dd file must be larger than the media being acquired. • AFF – Advanced Forensics Format, which works well with Autopsy and The Sleuth Kit. • AFF4 – a redesign of AFF. • ProDiscover Image File Format – for use with ProDiscover. When choosing a file format, some considerations include whether or not encryption is required, whether or not error checking is desired, and whether or not the format will work with third-party tools.

12

Digital Forensics Workbook

Activity 3-1: Create a Forensic Image with a GUI Tool In this activity, a forensic image will be created using FTK Imager of a storage device connected to the computer’s USB port. Tools: Product: Manufacturer: Web site:

FTK Imager AccessData Group, Inc. http://accessdata.com/product-download

Instructions: 1. Download and install FTK Imager. 2. Connect a flash drive to your computer’s USB port. 3. Launch FTK Imager. 4. From the main menu select “File” ! and then choose “Create Disk Image…” " as shown in Figure 3-1.

Figure 3-1: File menu with “Create Disk Image…”

13

5. In order to perform an acquisition, where all allocated and unallocated space is acquired, select “Physical Drive” in the “Select Source” window, as shown in Figure 3-2, and then click the “Next” button.

Figure 3-2: Select Source window 6. Identify the source to be acquired in the pull-down menu, as shown in Figure 3-3, and click the “Finish” button.

Figure 3-3: Select Drive window

14

Digital Forensics Workbook

7. After the source of the acquisition has been identified, the destination or target for the acquisition must be identified. Click the “Add…” button to provide the specifics for the destination. This is shown in Figure 3-4.

Figure 3-4: Create Image window 8. Select the E01 format for the forensic image in the “Select Image Type” window, as shown in Figure 3-5, and click the “Next” button.

Figure 3-5: Select Image Type window

15

9. In the “Evidence Item Information” window, as shown in Figure 3-6, enter descriptors for the evidence. This information is optional. Click the “Next” button, when complete.

Figure 3-6: Evidence Item Information 10. In the “Select Image Destination” window, as shown in Figure 3-7, identify the destination of the forensic image and the name for the image. By default, FTK Imager will split the forensic image across multiple files once the file size reaches 1,500 MB. This value can be changed. Compression is applied to the forensic image by default.

Figure 3-7: Select Image Destination window with values for the destination and image name

16

Digital Forensics Workbook

11. If the forensic image will not fit on the target destination, click the “Add Overflow Location” to identify alternate locations for files, which do not fit on the destination media. By default, FTK Imager will hash the original media with the MD5 and SHA1 algorithms and then verify the forensic image with the same algorithms. Click the “Start” button to start the acquisition. This appears in Figure 3-8.

Figure 3-8: Create Image window with a source and destination identified 12. As the forensic image is created, a progress bar will display the results as shown in Figure 3-9.

Figure 3-9: Create Image window with progress

17

13. At the conclusion of the acquisition, FTK Imager will display the results of the verification of the forensic image and compare those results to the original. Note that the “Verify Result” for the MD5 and SHA1 hashes are listed as “Match” ! as shown in Figure 3-10. This confirms that the forensic image is an exact copy of the original media.

Figure 3-10: Drive/Image verification results 14. At the conclusion of the acquisition, the time expended to complete the acquisition is displayed. This is shown in Figure 3-11.

Figure 3-11: Creating Image window at the completion of the acquisition.

18

Digital Forensics Workbook

15. Within the same directory as the forensic image files will be a text file, which contains the details of the forensic image. This file contains information regarding the media, the file hashes, and details provided by the forensic examiner. This is shown in Figure 3-12.

Figure 3-12: Acquisition details 16. What was the size/capacity of the original media as identified by FTK Imager? The original media had a storage capacity of 3,819 MB !. 17. How many sectors were on the original media as identified by FTK Imager? The original media contained 7,821,312 sectors ". 18. What was the serial number of the original drive as identified by FTK Imager? The serial number of the original media was 20044527111DB0C164DB #. 19. What were the MD5 and SHA1 hashes of the original evidence file? The hashes were MD5 and SHA1 hashes were 155f295b6258f44aabe8df79ac7796e8 and 0f57ad7076daf73491d0cd75cfb5435e6c7377d, respectively $. 20. Was the forensic image an exact copy of the original media? Based on the verified hash values, the forensic image was an exact copy %. 19

Activity 3-2: Create a Forensic Image with a Command Line Tool In this activity, a forensic image will be created of a storage device connected to the computer’s USB port using dd. Tools: Product: Manufacturer: Web site:

dd John Newbigin http://www.chrysocome.net/dd

Instructions: 1. Download dd from the web site and place it on the desktop of your computer. 2. Connect a flash drive to your computer’s USB port. 3. Open a command prompt on the Windows-based computer. 4. At the command prompt type the command to move to the directory containing the dd executable: cd C:\Users\username\Desktop 5. Identify all of the devices connected to the computer by typing the following command and pressing the “Enter” key: dd --list 6. The output of the command will be similar to what is shown in Figure 3-14.

Figure 3-14: list of connected devices as identified by dd 20

Digital Forensics Workbook

7. The dd utility uses a set of parameters for its operation. This includes: if, which specifies the input file or volume of, which specifies the output file or volume bs, which specifies the block size size, which informs dd to determine the size of the input device and ensures dd does not read past that point. This parameter is important for external flash drives. Sometimes dd will stop working, if it attempts to read beyond the end of the volume. This feature is not enabled by default, because determining the correct size of the device is not always possible. progress, which informs dd to display the status of the copy to the user. 8. At the command prompt type the following command to make a forensic image of the USB flash drive, which is using the E: drive, and store the image on the internal hard drive with the name output.dd: dd if=\\.\e: of=c:\output.dd bs=1M --size --progress 9. At the conclusion of the acquisition, the total quantity of blocks read (in) and written (out) will be displayed as shown in Figure 3-15.

Figure 3-15: Results of an acquisition with dd 10. When the dd command is run within a virtual machine, the output file may not be written to the root of the C: drive as expected. Instead, the output file may appear in the following location: C:\Users\username\AppData\Local\VirtualStore

21

Activity 3-3: Create a Forensic Image Over a Network Using a File Share In this activity, a forensic image will be created of a storage device connected to a computer’s USB port using dd and the image will be transferred over a network to another computer, which has a shared folder. This is depicted in Figure 3-16.

Figure 3-16: Forensic imaging over a network using a file share Tools: Product: Manufacturer: Web site:

dd John Newbigin http://www.chrysocome.net/dd

Instructions: 1. On the computer/server, which is to receive the forensic image, create a shared folder with the name “share,” which will allow unauthenticated users to write to the folder. (It is not necessary to give unauthenticated users the ability to read the contents of the directory.) 2. Identify the IP address of the computer running the shared folder. 3. Download dd from the web site and place it on the desktop of the computer from which the image is to be acquired. 4. Connect a flash drive to your computer’s USB port. 5. Open a command prompt on the computer with dd. 6. At the command prompt type the following command to access the desktop, which has dd: cd C:\Users\username\Desktop 7. At the command prompt type the following command to make a forensic image of the USB flash drive, which is using the E: drive, and store the image on the server with the shared folder: dd if=\\.\e: of=\\ip_address_server\share\output.dd bs=1M --size --progress

8. Instead of using \\.e: for the input, it is possible to specify individual files or partitions of the local hard drive, e.g., \\?\Device\Harddisk0\Partition1. 22

Digital Forensics Workbook

Activity 3-4: Create a Forensic Image Over a Network Using a Netcat In this activity, a forensic image will be created of a computer hard drive’s first partition using dd and the image will be transferred over a network to another computer using Netcat. This is depicted in Figure 3-17.

Figure 3-17: Forensic imaging over a network using netcat Tools: Product: Manufacturer: Web site:

dd John Newbigin http://www.chrysocome.net/dd

Product: Manufacturer: Web site:

Netcat Rodney Beede https://www.rodneybeede.com

Instructions: 1. Download netcat and dd to the server and place them on the desktop. 2. Identify the IP address of the server. 3. Open a command prompt on the server. 4. At the command prompt type the following to move to the desktop: cd C:\Users\username\Desktop 5. At the command prompt type the following command to start netcat in listener mode with the application listening on port 8888 and redirecting the received data to the output file named image.dd: nc -l 8888 | dd of=image.dd bs=1M 6. Download netcat and dd to the computer to be acquired and place them on the desktop.

23

7. Open a command prompt on the computer to be acquired. At the command prompt type the following to move to the desktop: cd C:\Users\username\Desktop 8. At the command prompt type the following command to acquire the first partition connected to the computer and redirect the output using netcat to the listening server: dd bs=1M if=\\?\Device\Harddisk0\Partition1 | ip_address_of_server 8888

24

4 FILE SYSTEM IDENTIFICATION A file system is a logical manner of storing data on media so it can be retrieved by an operating system. Through the identification of a file system, a forensic examiner can learn how data is arranged on the media and what meta data is available. For example, by identifying a file system an examiner can conclude how file names are stored, what timestamps are available, whether or not file ownership and security are available, and whether or not journaling is possible on the volume. While file systems are frequently paired with operating systems, e.g., NTFS with Microsoft Windows, HFS+ with Mac OS, and ext2/ext3 with Linux, there may be variations or alterations, which will impact a forensic examination. Authoritative sources should be examined to verify a file system rather than relying on a folder structure, which has been created by a user or operating system. Multiple sources should be examined on a file system, because partition table information and signatures may not always be reliable.

25

Activity 4-1: File System Identification In this activity you will identify the file systems of forensic images with fsstat, which is included with The Sleuth Kit. Tools: Product: Manufacturer: Web site:

The Sleuth Kit Brian Carrier http://www.sleuthkit.org/sleuthkit/download.php

Instructions: 1. Download The Sleuth Kit and save the decompressed folder to your desktop. 2. Download the compressed files “Forensic_Images.zip” from the Digital Forensics Workbook web site and save them to your desktop. 3. Open a command prompt. 4. Type the following at the command prompt to navigate to the “bin” folder within The Sleuth Kit directory: cd C:\Users\username\Desktop\sleuthkit-4.2.0-win32\bin 5. At the command prompt type the following command to analyze the partition table within the forensic image named drive1.E01: fsstat -i ewf C:\Users\\Desktop\Forensic_Images\drive1.E01

26

Digital Forensics Workbook

6. Upon running the command, details of the file system will be displayed as shown in Figure 4-1.

Figure 4-1: File system information for drive1.E01 27

7. What is the file system of the media captured in drive1.E01? The file system is FAT32 !. 8. With which operating system is this file system likely used? FAT32 is typically used on external storage devices due to its universal compatibility. 9. What is the volume ID or serial number of the media captured in drive1.E01? The volume ID is 0x1881387d ". 10. What is the volume label or name of the media captured in drive1.E01? There is no volume label for the media #. 11. What is the sector or inode size of the media captured in drive1.E01? The sector size is 512 bytes $. 12. How large is the cluster or block size of the media captured in drive1.E01? Each cluster is 4,096 bytes %. Additional Exercises: a.

For drive2.E01, what is: a. The file system? b. With which operating system is this file system likely used? c. The volume ID or serial number? d. The volume label or name? e. The sector or inode size? f. The cluster or block size?

b. For drive3.E01, what is: a. The file system? b. With which operating system is this file system likely used? c. The volume ID or serial number? 28

Digital Forensics Workbook

d. The volume label or name? e. The sector or inode size? f. The cluster or block size? c.

For drive4.E01, what is: a. The file system? b. With which operating system is this file system likely used? c. The volume ID or serial number? d. The volume label or name? e. The sector or inode size? f. The cluster or block size?

d. For drive2.E01, what is: a. The file system? b. With which operating system is this file system likely used? c. The volume ID or serial number? d. The volume label or name? e. The sector or inode size? f. The cluster or block size?

29

30

Digital Forensics Workbook

5 MOUNTING FORENSIC IMAGES FOR SCANNING A forensic image is a container designed to preserve evidence so it remains an identical copy of the original evidence. The image can be copied and moved between sources and a relatively quick re-hashing of the evidence can verify the file’s integrity and ensure the derivative evidence is intact just as it was when it was created. While this type of container has advantages, sometimes this container serves as an obstacle. Sometimes it is desirable to access the contents of the forensic image in its entirety, just as if it were an entire partition or volume. Doing so allows forensic examiners to run third-party tools to help with their analysis. For example, anti-virus scans can be run without having to boot into and rely upon the potentially compromised operating system. Hidden files, which functioned as a rootkit that hooked the operating system’s APIs, now lie dormant and ready for inspection and analysis. Scripts can be configured to scrape and walk through directory structures. The locations associated with persistent malware, i.e., autorun locations, can be explored. All of this can be performed without having to recover all of files from the entire file system. Through the process of image mounting, it possible to load the forensic image as a virtualized, local drive in a read-only fashion.

31

Activity 5-1: Mounting a Forensic Image and Scanning It with Anti-virus Software In this activity you will mount a forensic image with OSFmount and scan the mounted image with anti-virus software to determine if it contains known malicious files. Tools: Product: Manufacturer: Web site:

OSFmount PassMark Software http://www.osforensics.com/tools/mount-disk-images.html

Product:

Anti-virus software of your choice. In this example, AVG will be used.

Warning: In this exercise you will encounter malicious files. While the samples chosen for these exercises are somewhat old, which will certainly be detected by current anti-virus software, care should be taken not to double-click on the files or compromise the integrity of the forensic workstation. Instructions: 1. Download and install OSFMount and anti-virus software on the computer. 2. Download the forensic image drive06.E01 from the Digital Forensics Workbook web site and save the file to the desktop of your computer. 3. Launch OSFMount. When OSFMount is running, you should see a screen identical to what is shown in Figure 5-1.

Figure 5-1: OSFMount

32

Digital Forensics Workbook

4. In the OSFmount window, click the “Mount new virtual disk…” button. The “Mount Drive” dialog box will appear as shown in Figure 5-2.

Figure 5-2: Mount Drive window 5. Ensure the “Source” is set to “Image file.” 6. Click the ellipses (…) button next to the “Image file” text box and navigate to the drive6.E01 file. 7. After selecting the image file, the Mount Drive window will appear identical to what is shown in Figure 5-3.

Figure 5-3: Image file selected for drive mounting. 33

8. Click the “OK” button to mount the evidence file as a virtualized drive. After clicking the “OK” button, OSFmount should display the mounted drive along with the drive information !, as shown in Figure 5-4.

Figure 5-4: OSFmount with mounted drive information 9. Open Windows Explorer. The mounted drive should appear as a drive with the next available drive letter ". In most cases this will be E: as shown in Figure 5-5.

Figure 5-5: Explorer displaying mounted drive

34

Digital Forensics Workbook

10. Right-click the mounted drive, E:, and choose to scan the drive for malicious software #. This is shown in Figure 5-6. (Depending on the anti-virus software installed on your computer, the procedures for scanning the drive may vary. Be sure the virus definition database is up-to-date.)

Figure 5-6: Launching anti-virus software 11. The results of the scan will be displayed as the drive is scanned as shown in Figure 5-7.

Figure 5-7: Virus scan results 35

12. What virus was found on the forensic image and where was it located? klg.exe, which is classified as a Trojan/keylogger, was found in \Users\Admin\Downloads\klg.exe. Additional Exercises: Note: Some of these images will contain malicious files. Do not retrieve, open, or double-click any files within the images. a.

Mount and scan drive1.E01. Was any malware found on the image?

b. Mount and scan drive4.01. Was any malware found on the image? c.

Mount and scan drive7.E01. Was any malware found on the image?

d. Mount and scan drive9.E01. Was any malware found on the image?

36

Digital Forensics Workbook

Activity 5-2: Mounting a Forensic Image and Scanning In this activity you will mount a forensic image using FTK Imager and enumerate the “autorun” locations with Sysinternals’ Autoruns. If desired, OSFMount can be used to mount the forensic image instead of FTK Imager. Tools: Product: Manufacturer: Web site:

FTK Imager AccessData Group, Inc. http://www.accessdata.com

Product: Manufacturer: Web site:

Sysinternals Suite with Autoruns Microsoft https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

Instructions: 1. Download and install FTK Imager on the computer. 2. Download the Sysinternals Suite and save the file to the desktop. Extract “Autoruns.exe” from the compressed file and save the executable to the desktop. 3. Download the forensic image named drive12.E01 from the Digital Forensics Workbook web site and save the file to the desktop of the computer. 4. Launch FTK Imager. 5. From the main menu select “File” and then “Image Mounting…” as shown in Figure 5-8.

Figure 5-8: FTK Imager with File Menu 37

6. In the “Mount Image to Drive” window, click the ellipses (…) button next to the textbox named “Image File:” and select drive12.E01. 7. Navigate to drive12.E01 and click the “OK” button. 8. Change the “Mount Method” to “Block Device / Writable.” 9. Click the “Mount” button in the middle of the screen. 10. After clicking the “Mount” button, two mapped images should appear as mounted as shown in Figure 5-9.

Figure 5-9: FTK Imager with a mounted forensic image 11. Click the “Close” button. 12. Minimize FTK Imager. Do not quit FTK Imager. If you quit the application, the drives will unmount. 13. Right-click “Autoruns.exe” and choose “Run as administrator” from the pop-up menu. 38

Digital Forensics Workbook

14. When Autoruns launches, it will automatically scan the local computer and display the results. This is shown in Figure 5-10.

Figure 5-10: Autoruns after a default scan of the local system 15. From the main menu, select “File” and then select “Analyze Offline System...” 16. In the dialog box that appears, as shown in Figure 5-11, enter the path to the System root, i.e., the Windows directory on the forensic image, and enter the path to the user profile, i.e., the default user profile. In this example, the forensic image was mounted as the E: drive. Click the “OK” button.

Figure 5-11: Analyze Offline System dialog box 39

17. Autoruns will scan the mounted drive and display the results as shown in Figure 5-12.

Figure 5-12: Results of Autoruns scan 18. What entries are listed in HKEY_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and where are the associated Dynamic Link Library files or executables located on the forensic image? BCSSyn loads from the key SOFTWARE\Microsoft\Windows\CurrentVersion\Run !. The file that is loaded is C:\Program Files\Microsoft Office\Office 14\bcssync.exe.

40

Digital Forensics Workbook

19. What Browser Helper Objects (BHOs) are loaded within Explorer? There are two BHOs loaded from the key \Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ". They are: Groove GFS Browser Helper and Office Document Cache Handler. 20. What entries are listed in HKEY_LOCAL_Machine\System\CurrentControlSet\Services and where are the associated Dynamic Link Library files or executables located on the forensic image? There are ten items loaded from the System\CurrentControlSet\Services key #. They are: FDResPub c:\windows\system32\fdrespub.dll Microsoft SharePoint Workspace Audit ServiceMicrosoft SharePoint Workspace c:\program files\microsoft office\office14\groove.exe Netman c:\windows\system32\netman.dll ose c:\program files\common files\microsoft shared\source engine\ose.exe osppsvc c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe SCardSvr c:\windows\system32\scardsvr.dll SessionEnv Remote Desktop Configuration service (RDCS) c:\windows\system32\sessenv.dll wcncsvc c:\windows\system32\wcncsvc.dll WinDefend c:\program files\windows defender\mpsvc.dll WMPNetworkSvc c:\program files\windows media player\wmpnetwk.exe

41

Additional Exercises: Perform an “Autoruns” scan on drive10.E01. e.

Malware using the name “reallybadstuff” has been seen on various computers. Based on the review of the Autoruns locations, does it exist on this computer? If so, where and how is it persistent?

f.

What items are listed under HKEY_Current_User\SOFTWARE\Microsoft\CurrentVersion\Run?

g. How many Services are set to launch and run through: HKEY_LOCAL_Machine\System\CurrentControlSet\Services? h. How many Browser Helper Objects (BHOs) exist on this computer?

42

6 RECOVERING FILES FROM FORENSIC IMAGES One of the essential tasks in digital forensics after evidence has been collected, preserved and acquired is recovering individual files from forensic images. These files may have merit in their own right as in ediscovery cases, but they may also have value in investigations, because they may reveal that a particular action did or did not occur on a system. In order to conduct in-depth treatments it often necessary to extract particular files and then perform further analysis with third-party tools. Recovering the files is not necessarily a complicated task, but each tools handle the process a little differently. Popular tools used to recover individual files from a forensic image include EnCase, FTK/FTK Imager, and Autopsy.

43

Activity 6-1: Recovering Files From Forensic Images with EnCase In this activity you will review how to recover files from a forensic image with EnCase. It was not possible to distribute a copy of EnCase with the workbook as it is a commercial tool. This is presented for the sake of completeness in the event that you encounter this tool in a lab. Tools: Product: Manufacturer: Web site:

EnCase Guidance Software http://www.guidancesoftware.com

Instructions: 1. Launch EnCase. When EnCase is launched, the user will be greeted with a splash screen, which provides various options. This is shown in Figure 6-1. The title bar at the top of the window should display “EnCase Forensic” !. If it displays “Acquisition,” then the software has not received a valid license through the dongle or the EnCase licensing server. As a result, only acquisitions can be performed. When evidence is received, the user will need to create an EnCase case file using the “New Case” option ".

Figure 6-1: EnCase Main Window

44

Digital Forensics Workbook

2. After selecting “New Case,” an Options dialog box will appear as shown in Figure 6-2. In this window, you must enter a case name #. The path to the case folder, backup file, cache, etc., will be automatically populated. After you enter the information, press the “OK” button.

Figure 6-2: New Case Options dialog box 3. After creating an EnCase case file, it will be necessary to add evidence to it. After creating the case, EnCase will display the case features. Click the “Add Evidence” $ item to add an existing evidence file to the case. This is shown in Figure 6-3.

Figure 6-3: Case Window 45

4. After an evidence file has been added to the case file, you will see a window similar to what is shown in Figure 6-4. On the left side of the window is the Tree Pane. The right side of the window displays the Table Pane. At the bottom of the window is the Details Pane.

Figure 6-4: Evidence File in EnCase 5. At the bottom of the window, as shown in Figure 6-4, on the left the full path to the highlighted item is displayed %. At the bottom of the window on the right & will be the status of any activities, i.e., evidence verification, EnScript activity, file recovery, etc.,. (The first time the evidence file is accessed, EnCase will validate the integrity of the file by conducting a file verification and rehashing of the evidence.)

46

Digital Forensics Workbook

6. The panes of the window are contextual, which means the contents within them will change depending on what has been selected. Clicking on each of the triangles in the Tree Pane will display the directory’s contents. When a directory is selected, the contents within the directory are shown on the right in the Table Pane '. When an object is selected, the details regarding that object are shown in the Details Pane at the bottom of the Window (. This is shown in Figure 6-5.

Figure 6-5: Evidence File with expanded options 7. Notice that many columns in the Table Pane will not be populated until the relevant actions are performed in EnCase. For example, the Signature Analysis column and File Type column are both empty until a File Signature Analysis is performed using the Case Processor. 8. You can sort the data being displayed in the Tree Pane by double-clicking any of the column headers. If you want to sort the contents by file extension, double-click on “File Ext.” If you want to sort by file name, double-click on “Name.”

47

9. It is possible to select several files or directories at once within an evidence file. Marking the checkbox next to each item, either in the Tree Pane or in the Table Pane will select (or deselect) an item. When an item is selected, a blue checkmark will appear in the check box. This is shown in Figure 6-6. In this example four files were selected ). It will be possible to recover multiple files at the same time using this feature in combination with “Copy Files” or “Copy Folders,” which will be shown in the upcoming steps.

Figure 6-6: Evidence items after “Blue Checking” them 10. It is a strong suggestion that you not “bluecheck” all files in the evidence file. If you mistakenly recover the files, when everything is selected, you could inadvertently recover ALL files within the evidence file, including the operating system, sub-directories and non-relevant artifacts. This could consume all available drive space on your forensic computer.

48

Digital Forensics Workbook

11. When conducting an analysis of an evidence file, sometimes it is convenient to examine a directory and all of its contents, which includes files and all of the sub-directories and the sub-directories’ subdirectories. To “flatten” a directory and display all contents on one level, you can use the “homeplate” button, which is shown in Figure 6-7 *. After clicking a “homeplate” button in the Tree pane (and having the item highlighted), the contents will be flattened and displayed in the Table pane.”

Figure 6-7: Folders “flattened” with home plate item checked

49

12. In EnCase, it is possible to recover a single file, multiple files, a directory, and multiple directories from the evidence file. In order to recover a single file, right-click the file and from the pop-up menu select “Entries” > “Copy Files…” !. This is shown in Figure 6-8. A dialog box will appear asking the examiner to select several options, including the location of the recovered files.

Figure 6-8: Recovering files from the evidence file 13. To recover multiple files at the same time, first “bluecheck” the files to be recovered and then rightclick one of the files. From the pop-up menu select “Entries” and then select “ Copy Files…” 14. To recover a directory and its contents, right-click the folder and from the pop-up menu select “Entries” and then select “Copy Folders…” " . 15. If you attempt to recover a directory and use the “Copy Files…” feature and not “Copy Folders…,” EnCase will not recover the directory as you might expect. It will create a small file, which represents the directory.

50

Digital Forensics Workbook

16. When working in EnCase, there are times when an examiner may wish to display the contents of compound files, such as the Windows Registry files or Microsoft Office files. This can be done in EnCase by mounting the file. Bear in mind there is no native way to unmount the file in EnCase, version 7. If you wish to unmount a file, which has been mounted, you will need to download the appropriate EnScript from Guidance Software’s web site and run it. 17. To mount a compound file in EnCase, right-click the file and from the pop-up menu select “Entries” and then select “View File Structure” from the menu #. This is shown in Figure 6-9. Because dealing with compound files, such as the Registry, in EnCase is can be cumbersome, some examiners choose to recover the files from the Evidence file using “Copy Files…” and conduct analysis with thirdparty tools.

Figure 6-9: View File Structure option

51

Activity 6-2: Recovering Files From Forensic Images with Autopsy In this activity you will recover files from a forensic image with Autopsy. Tools: Product: Manufacturer: Web site:

Autopsy Brian Carrier http://www.sleuthkit.org/autopsy/download.php

Instructions: 1. Download and install Autopsy. 2. Download drive2.E01 from the Digital Forensics Workbook web site and place the image on your desktop. 3. Launch Autopsy. 4. In the “Welcome” window, click the button named “Create New Case.” 5. In the “New Case Information” window, as shown in Figure 6-10, add a case name, which is mandatory. The directory in which the case data will be saved will be populated automatically based on the case name. After entering the name click the “Next” button.

Figure 6-10: Autopsy’s New Case Information window 6. Click the “Finish” button. 7. The “Add Data Source” window will appear. It may take a moment to launch.

52

Digital Forensics Workbook

8. In the “Add Data Source” window browse to drive2.E01 and click the “Next” button as shown in Figure 6-11.

Figure 6-11: Autopsy’s Add Data Source window 9. The user will be presented with a list of Ingest Modules, which will automatically run once the evidence file is loaded. This is shown in Figure 6-12. Because this evidence file is small, you can leave the default options selected and click the “Next” button.

Figure 6-12: Ingest Modules 10. Click the “Finish” button.

53

11. Autopsy’s main window is broken up into three panes or viewers: the Tree Viewer, the Result Viewer, and the Content Viewer. The status of the processing of the Ingest Modules ! will be displayed in the lower right corner of the window as shown in Figure 6-13.

Figure 6-13: Ingest Module processing status 12. In the Tree Viewer click the plus (+) symbol next to Data Sources and drill down into drive02.E01. 13. Navigate down to C:\Windows\system32 as shown in Figure 6-14.

Figure 6-14: Tree Viewer with file structure of drive02.E01 54

Digital Forensics Workbook

14. Right-click on the file named nsadmin.exe and select “Extract File(s)” " from the pop-up menu as shown in Figure 6-15.

Figure 6-15: “Extract File(s)” feature in Autopsy 15. Identify a location to save the file and click the “Save” button. 16. It is possible to extract multiple files simultaneously in Autopsy by SHIFT-clicking files and then right-clicking one of the highlighted files. From the pop-up menu choose, “Extract File(s)” # as shown in Figure 6-16.

Figure 6-16: Recovering multiple files from an evidence file using Autopsy 55

Activity 6-3: Recovering Files From Forensic Images with FTK Imager In this activity you will recover files from a forensic image with FTK Imager. Tools: Product: Manufacturer: Web site:

FTK Imager AccessData Group, Inc. http://accessdata.com/product-download

Instructions: 1. Download and install FTK Imager. 2. Download drive2.E01 from the Digital Forensics Workbook web site and place the image on your desktop. 3. Launch FTK Imager. 4. From the main menu, select “File” and then select “Add Evidence Item” !. This is shown in Figure 6-17.

Figure 6-17: FTK Imager window with File menu

56

Digital Forensics Workbook

5. When prompted to choose a source type, as shown in Figure 6-18, select “Image File.” After changing the selection, click the “Next” button. (Note: FTK Imager can be used to view the live local hard drives of the system on which it has been installed by choosing Physical Drive or Logical Drive.)

Figure 6-18: “Select Source” dialog box 6. Browse to the desktop and select drive2.E01. Click the “Finish” button. 7. FTK Imager will mount the evidence file, as shown in Figure 6-19.

Figure 6-19: Mounted evidence file 8. Click the plus (+) symbol next to the drive to expand the directory structure. 57

9. In the expanded tree structure, the volume name " and file system # are displayed as shown in Figure 6-20.

Figure 6-20: File system data 10. Navigate down the file structure and go to \root\Windows\system32. 11. To extract a file (in this example the file named ndadmin.exe will be chosen), right-click on the file and select “Export Files…” $ from the pop-up menu as shown in Figure 6-21.

Figure 6-21: “Export Files…” option 58

Digital Forensics Workbook

12. Choose a destination to which the file will be saved and click the “OK” button. 13. After the file is exported, the results of the extraction along with the file’s size will be displayed as shown in Figure 6-22.

Figure 6-22: Results of a successful copy 14. To recover multiple files simultaneously, SHIFT-click multiple files to highlight them as shown in Figure 6-23.

Figure 6-23: Multiple selected files in FTK Imager 15. Right-click one of the highlighted files and choose “Export Files…” from the pop-up menu.

59

Additional Exercises: 1. Download drive11.E01 from the Digital Forensics Workbook web site and save the file to your desktop. 2. Recover the following files: All Microsoft Word documents from C:\Users\jsmith\My Documents\. a.

How many Microsoft Word documents were recovered?

b. What were the names and sizes of the Microsoft Word documents? All executables from the C:\Users\jsmith\Downloads\. c.

How many executables were recovered?

d. What were the names and sizes of the executables? All Excel spreadsheets from C:\Users\jsmith\Desktop\. e.

How many Microsoft Excel spreadsheets were recovered?

f.

What were the names and sizes of the Excel spreadsheets?

60

7 ARTIFACTS IN THE REGISTRY Aside from containing configuration settings for a Windows-based system, the Windows Registry contains a wealth of data pertaining to system usage. Users might think twice, if they knew how much information is retained in the collective set of files known as the Registry. Since manipulating the Registry is something the typical computer user does not do, the data found in the Registry is considered inherently more reliable (although not perfect) compared to user data files. Two of the principle concerns with analyzing the Registry are: 1. Knowing what data stored in the Registry 2. Retrieving the data in a usable format. There are a variety of tools available to help parse the Windows Registry. Some tools are command-line driven, which allow for scripting or batch processing, while others contain a graphical user interface to allow data to be more easily read and understood. With both tools it is helpful to have an understanding of how data is stored in the hives and in what format. On Windows-computer systems with large storage capacities some investigators find examining the Registry to be an effective triage, because it is easier to recover all of the Registry files and focus on them rather than performing a physical acquisition of a multi-terabyte drive. The Windows Registry is compromised of the following data files: C:\Windows\system32\config\default C:\Windows\system32\config\SAM C:\Windows\system32\config\SECURITY C:\Windows\system32\config\software C:\Windows\system32\config\system C:\Users\username\NTUSER.DAT (for each user profile on the system) When the files are loaded into memory the Registry takes the form of: HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIG The activities presented here will examine a number of popular Registry entries, but clearly not all artifacts.

61

Activity 7-1: Reading Offline Registry Files with Regedit In this activity you read an offline Registry file with Regedit. Tools: Product: Manufacturer: Web site:

Regedit Microsoft Corporation https://msdn.microsoft.com/en-us/library/windows/desktop/ms724871(v=vs.85).aspx

Warning: Please be extremely careful, when using Regedit. Changes made to the active Registry can cause unstable conditions in Windows. Instructions: 1. Download the file called “RegistryFiles-1.zip” from the Digital Forensics Workbook web site and extract the contents of the compressed file to your desktop. 2. Open a command prompt on a Windows computer. 3. At the prompt type the following command to launch the Registry Editor and press the “Enter” key: regedit 4. When the Registry Editor launches, ensure all keys are collapsed. The Regedit window should appear identical to what is shown in Figure 7-1.

Figure 7-1: Collapsed Windows Registry 62

Digital Forensics Workbook

5. In the Regedit window, left click on HKEY_LOCAL_MACHINE. It will highlight. Do not open it. 6. From the main menu select “File” and then select “Load Hive…” from the pull-down menu. (If HKEY_LOCAL_MACHINE is not highlighted, this menu item will not appear.) 7. Browse to the directory on the desktop with the Registry files retrieved from the web site. 8. Select the file called SOFTWARE. When loading the file, you will be prompted to enter a name in the “Load Hive” window. Enter the name “TEST” and click the “OK” button. 9. Expand HKEY_LOCAL_MACHINE. The results will match what is shown in Figure 7-2. The loaded hive will appear with the name TEST ! as shown.

Figure 7-2: Registry with loaded TEST hive 10. Confirm the logon banner contained within the Windows Registry of the TEST hive by navigating down to the following Registry key: HKEY_LOCAL_MACHINE\TEST\Microsoft\Windows\CurrentVersion\Policies\System

11. After navigating down to the key, the path will be displayed in the lower left corner of the screen as shown in Figure 7-3 ". Notice two keys: legalnoticecaption # and legalnoticetext $. The former would contain the text value, which appears in the title bar of the consent banner. The latter is the actual message contained within the body of the consent banner.

63

Figure 7-3: Registry key containing Consent Banner (or absence of one) 12. What consent banner is shown on this computer? No consent banner is displayed based on the empty values in this Registry file. (In this hive, the consent banner has been removed and nothing will be displayed at logon. The absence of the banner may cause legal concerns during the examination of corporate assets. In this example the absence of data is a finding.) 13. Navigate to the following key to identify the installation information for the versions of Windows: HKEY_LOCAL_MACHINE\TEST\Microsoft\Windows NT\CurrentVersion 14. The results of the navigation should appear in a window identical to what is shown in Figure 7-4.

Figure 7-4: Windows installation information 64

Digital Forensics Workbook

15. What is the name of the Windows product? The official name is Windows 7 Professional %. 16. What is the product ID number? The product ID number is 00371-868-0000007-85715 &. 17. In what directory on the system is the operating system running? The operating system is using C:\Windows '. 18. When was the operating system installed? Based on the Registry, the installation date is listed as 1290523619 (, which is a timestamp recorded in Epoch time. Using a resource, such as www.epochconverter.com, converts the value to November 23, 2010 at 14:46:59 GMT. 19. Collapse the Registry keys. 20. Click on the key named TEST. From the main menu select “File” and then choose “Unload Hive…”

65

Activity 7-2: Reading Offline Registry Files with Windows Registry Recovery In this activity you read an offline Registry file with Windows Registry Recovery. Tools: Product: Manufacturer: Web site:

MiTeC Windows Registry Recovery Michal Mutl http://www.mitec.cz/wrr.html

Instructions: 1. Download the file called “RegistryFiles-1.zip” and extract the contents to the desktop of the computer. 2. Download Windows Registry Recovery and extract the executable from the compressed file and place it on your desktop. 3. Launch Windows Registry Recovery. 4. From the main menu, select “File” and then select “Open.” Choose the SYSTEM Registry hive. The Windows Registry Recovery window will appear identical to what is shown in Figure 7-5.

Figure 7-5: Windows Registry Recovery with SYSTEM hive loaded 5. On the menu on the left side of the screen click the “Services and Drivers” button. A list of services located in the SYSTEM hive will be displayed as shown in Figure 7-6.

66

Digital Forensics Workbook

Figure 7-6: Windows Registry Recovery with Services from SYSTEM hive 6. On the menu on the left side of the screen click the “Network Configuration” button. 7. In the right frame, click the “TCP/IP” tab. The network information from the Registry including the IP address will be displayed as shown in Figure 7-7.

Figure 7-7: Windows Registry Recovery with “Network Information” from SYSTEM hive 67

8. While the path inside the Registry is not displayed, the network information was retrieved from: SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces. (Note: Windows can maintain multiple configuration settings in the Registry by using “Control Sets.” SYSTEM hives may have multiple control sets, i.e., ControlSet001, ControlSet002, ControlSet003, etc.,. When reading the Registry it is necessary to determine which control set is the active configuration. Windows Registry Recovery identified the “Current Control Set,” which was set to ControlSet001 in this example, and then read the appropriate Registry keys.) 9. The DHCP assigned IP address of 192.168.1.4 ! is listed along with the date the lease was obtained (0x4CFD7EF5 = 1291681525 (UNIX Epoch Time) = December 7, 2010 at 00:25:25 GMT) " and the date the lease expired (0x4CFED074 = 1291767924 (UNIX Epoch Time) = December 8, 2010 at 00:25:24 GMT) # . 10. From the main menu select “File” and then select “Open.” Browse to the SAM file. 11. After the SAM file loads, click the “SAM” button on the left side of the window. 12. On the right side of window click the “Groups and Users” tab. The list of user accounts and groups will be displayed as shown in Figure 7-8.

Figure 7-8: Windows Registry Recovery with User Account Information from SAM hive

68

Digital Forensics Workbook

Activity 7-3: Reading Offline Registry Files with RegRipper In this activity you recover and view various Registry entries using RegRipper. Tools: Product: Manufacturer: Web site:

RegRipper Harlan Carvey https://github.com/keydet89

Instructions: 1. Download the file named “RegistryFiles-1.zip” and extract the contents to the desktop of the computer. 2. Download RegRipper and extract the contents of the compressed file to the desktop. 3. Launch RegRipper by double-clicking on rr.exe. After launching the application, the RegRipper window should appear as shown in Figure 7-9.

Figure 7-9: RegRipper application 4. Click the top button labeled “Browse” ! and select the NTUSER.dat file. 5. Click the middle button labeled “Browse” " and identify a location to save the output. Also provide a name for the text file output. 6. In the pull-down menu next to “Profile” # identify the type of file to be examined. In this example it is “ntuser.” 7. Click the “Rip It” button to process the Registry file. 69

8. Open the text file with the results. This will match what is shown in Figure 7-10.

Figure 7-10: RegRipper results for NTUSER.dat 9. The results from the file have been parsed and the Registry keys are listed with the various output so the user can go back to the actual Registry files, if desired. 10. Based on the output, what “typed URLs” were entered into Internet Explorer by the user of this account? (Note: These URLs may not have fully typed by the user, but they were entered in the address bar.) The “typed URLs” appear in the Registry key: Software\Microsoft\Internet There were seven URLs entered into Internet Explorer, which include: url1: http://www.google.com/ 70

Explorer\TypedURLs

Digital Forensics Workbook

url2: http://fedex.com/us/sports/fedexracing/employeelogin.html url3: http://www.facebook.com/ url4: http://www.cnn.com/ url5: http://www.apple.com/ url6: https://gmail.google.com/ url7: http://go.microsoft.com/fwlink/?LinkId=69157 11. Rip the SYSTEM file in the same manner as the NTUSER.dat file. 12. Open the text file, which has the results, and scroll down to the section of the file, which contains the USBSTOR information. The results will match what is shown in Figure 7-11.

Figure 7-11: USBSTOR information from the SYSTEM Registry Hive 71

13. How many USB storage devices were connected to the computer? Only one USB storage device was connected to the computer. 14. What was the serial number of the USB storage device? The USB storage device had the serial number 250516021275AB06 $. 15. What was the name of the USB storage device? The name of the device provided by the vendor, CBM, was Prod_Flash_Disk %. 16. When was the USB storage device first connected to the computer? The USB storage device was first connected to the computer on December 6, 2010 at 19:57:38 PM &. Additional Exercises: 1. Download the file named “RegistryFiles-2.zip” and extract the contents to the desktop of the computer. 2. Extract the artifacts from the two files in the zip, i.e., SYSTEM and NTUSER.dat. a.

What was the IP address assigned to the computer?

b. How many USB storage devices were connected to this computer? c.

When was an iPod first connected to the computer and when was the last update to the Registry key with the serial number of the iPod?

d. Search through the NTUSER.dat file. When was the last Adobe Acrobat PDF opened and what was its name? e.

Google Update automatically launches and runs on computers using the NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\Run Registry key. Is Google Update installed on this computer and, if so, from where does the executable run?

f.

What were the “Typed Paths” (not “Typed URLs”) found in the NTUSER.dat file and when was the last path entered?

72

8 HASHING Hashing is the process of taking a string of binary digits and inputting them into a hash function, which will in turn perform a calculation based on the mathematical algorithm having been implemented. This will produce a fixed length number, also known as a hash. The most popular hashing functions in digital forensics are MD5, SHA1, and SHA256. Each uses a different algorithm and produces hashes of different lengths. For each unique input, there should be a unique output, i.e., hash. This is when forensic examiners use the analogy a hash is like a digital fingerprint. No two files should have the same hash. A slight change in input will typically produce a very different output. The source of the binary digits used for the input could be a file, such as a document or a forensic image, or even a string of characters. Hashing functions are one-way calculations, which means it is not possible to determine the original input based on the hash. Hashing is typically performed for one of three purposes: 1. To uniquely identify a file. 2. To compare two files against each other to show that they are identical copies or not. 3. To search through a list of files to identify known files, e.g., searching through a list of files using hashes of known contraband or known “good” files, i.e., previously verified and hashed operating system files. There are a number of tools available to calculate the hashes of an individual file and groups of files/folders. Tools such as Autopsy, EnCase, and FTK allow examiners to calculate sets of hashes for comparing files in forensic images against known sets.

73

Activity 8-1: Hashing Individual Files Comparison In this activity you will calculate hashes of files, which appear to be similar, and compare the hashes. Tools: Product: Manufacturer: Web site:

HashCalc SlavaSoft http://www.slavasoft.com/hashcalc/

Instructions: 1. Download and install HashCalc. 2. Download the file named “File_Hashing_1.zip” from the Digital Forensics Workbook web site. Extract the contents and place the files on the desktop. 3. Open the folder with the three files. The files will be displayed in a window as shown in Figure 8-1.

Figure 8-1: Images 4. Open each of the three images, Image1.jpg, Image2.jpg, and Image3.jpg. The pictures will appear as shown in Figure 8-2.

Figure 8-2: A visual comparison the three images 74

Digital Forensics Workbook

5. Right-click each file and look at the “Details” tab of the Properties window. You should see what is displayed in Figure 8-3.

Figure 8-3: Details tab of the Properties window for each file. 6. Launch HashCalc. The HashCalc window will appear as shown in Figure 8-4.

Figure 8-4: HashCalc window

75

7. By default, HashCalc will generate four hashes for each input. What are the four hashing algorithms, which are used by default? By default, HashCalc will calculate MD5, SHA1, RIPEMD160, and CRC32 hashes. Other options may be selected. 8. Drag Image1.jpg into the open HashCalc window. HashCalc will automatically calculate the hashes using the file as input as shown in Figure 8-5.

Figure 8-5: Hashes of Image1.jpg 9. What is the MD5 hash of Image1.jpg? The MD5 hash is 71800aa19a191caf813397386f66573b !. 10. On the desktop, rename Image1.jpg to “Statue_of_Liberty.jpg.” 11. Drag the renamed file into the open HashCalc window. 12. What is the hash value of the file? The MD5 hash is still 71800aa19a191caf813397386f66573b. 76

Digital Forensics Workbook

13. Why did the hash value not change? The hash is calculated using the file’s contents and not using external meta data such as the file’s name or timestamps. 14. Drag Image2.jpg into the open HashCalc window and record the hashes. 15. Drag Image3.jpg into the open HashCalc window and record the hashes. 16. Which of the two files, Image2.jpg or Image3.jpg, is an identical match to Image1.jpg? The hashes of Image2.jpg are: MD5: 71800aa19a191caf813397386f66573b SHA1: 078bae59af4752e670d8f6acf49d64df78c766b2 The hashes of Image3.jpg are: MD5: 0e5b5b83be6471c7b0bad6a5861e3d53 SHA1: e5f05de658d7385a86c72062b9d3724733fcfafb Based on hashes, Image1.jpg and Image2.jpg are identical. Image1.jpg and Image3.jpg are not identical copies of one another even though the pictures appear to be the same. Additional Exercises: 1. Download the file named “File_Hashing_2.zip” from the Digital Forensics Workbook web site. Extract the contents and place the files on the desktop. 2. Calculate the hashes of each file. a.

Which files are exact matches?

77

Activity 8-2: Hashing Folders and Their Contents for Comparison and Searching In this activity you will calculate hashes of a folder’s contents and search the folder for a known hash value. Tools: Product: Manufacturer: Web site:

HashMyFiles NirSoft http://www.nirsoft.net/utils/hash_my_files.html

Instructions: 1. Download and install HashMyFiles. 2. Download the files named “File_Hashing_2.zip” and “File_Hashing_3.zip” from the Digital Forensics Workbook web site. Extract the contents and place them on the desktop in their respective folders. 3. Launch HashMyFiles. A window will appear, which is identical to the one shown in Figure 8-6.

Figure 8-6: HashMyFiles 4. From the main menu, select “File” and then “Add Folder.” 5. In the “Select Folder” dialog box, browse to “File_Hashing_2” and click the “OK” button. HashMyFiles will automatically calculate the hashes of the ten files in “File_Hashing_2.” This is shown in Figure 8-7. Files with matching hashes appear with same color.

Figure 8-7: Results of hashing an entire folder’s contents 78

Digital Forensics Workbook

6. From the main menu, select “File” and then select “Add Folder.” 7. In the “Select Folder” dialog box, browse to “File_Hashing_3” and click the “OK” button. HashMyFiles will automatically calculate the hashes of the files in “File_Hashing_3” and append them to the previously hashed files. This is shown in Figure 8-8.

Figure 8-8: Hashed results of multiple folders 8. Based on the HashMyFiles window, how many files have been hashed? Thirty-eight files have been hashed in total !. 9. Do the files “File-Hashing-9.docx” and “File-Hashing-9 - Copy.docx” have the same hashes? No. Even though the name “File-Hashing-9 - Copy.docx” suggests a copy was made of the original, the contents of the two files do not match. 10. From the main menu, select “Edit” and then select “Find.” In the “Find” dialog box enter the following hash value: b638b9a62b9623babaa28af46e0f7409. 11. Which file matched the hash value that was sought? File-Hashing-15.docx contains the hash value b638b9a62b9623babaa28af46e0f7409. Additional Exercises: b. Which files have the hash 1db3c94e386cc8a3cdd8bfffc084f1fa? c.

Which files have the hash a26337b5c811c0ea3d5f1a228495984a30c7c75f? 79

Activity 8-3: Hashing Evidence Files for Validation In this activity you will calculate the hash of an evidence file to ensure its integrity is intact. Tools: Product: Manufacturer: Web site:

HashCalc SlavaSoft http://www.slavasoft.com/hashcalc/

Product: Manufacturer: Web site:

FTK Imager AccessData Group, Inc. http://accessdata.com/product-download

Instructions: 1. Download and install HashCalc. 2. Download and install FTK Imager. 3. Download the forensic image named drive1.E01 from the Digital Forensics Workbook web site and save the file to the desktop of your computer. 4. Launch HashCalc. 5. Drag drive1.E01 into the open HashCalc window. The results of the subsequent hashing is shown in Figure 8-9.

Figure 8-9: Hashing of drive1.E01 80

Digital Forensics Workbook

6. What are the MD5 and SHA1 hash values of the file? MD5: SHA1:

2ccfa510ee28712b01544594f4fad721 ! 2baa0524e34a684e615061829b21d6b33cd906f8 "

7. Launch FTK Imager. 8. From the main menu select “File” and then select “Add Evidence Item…” 9. In the “Select Source” dialog box, select the radio button next to “Image File” and click the “Next” button. 10. Browse to the desktop, select drive1.E01, and click the “Finish” button. 11. From the main menu select “File” and then select “Verify Drive/Image…” 12. The results of drive verification should match what is shown in Figure 8-10.

Figure 8-10: Drive/image verification results 13. What are the MD5 and SHA1 hashes returned from the drive verification? MD5: SHA1:

ef7524255c11ac089e532cd3db4d1d46 # c89f230d0b9a2bb221dc6036b24e8f293dd0c079 $

14. Should the hashes from HashCalc and FTK Imager match? No, the hashes should not match. The hashes from HashCalc are for the .E01 file, which contains the data from the acquired drive, a header, CRC checks, hashes, and compression. The hashes from FTK Imager’s drive verification are only for the data from the acquired drive. 81

Activity 8-4: Hashing Evidence with Hash Sets In this activity you will create a hash set in Autopsy and search for specific files Tools: Product: Manufacturer: Web site:

Autopsy Brian Carrier http://www.sleuthkit.org/autopsy/download.php

Instructions: 1. Create a text file with the name hashset.txt and save it to your desktop. 2. Inside hashset.txt add the following lines of text: 92bb2e9aa28542c685c59efcbac2490b cd47548a52b02d254bf6d7f7a5f2bfd3 0290945054b80ff4ca100cbde2a4afba fe968eb85fb8a2e5df6af311423bee16 3d0b9ea79bf1f828324447d84aa9dce2

file1 file2 file3 file4 file5

3. Download and install Autopsy. 4. Download drive4.E01 from the Digital Forensics Workbook web site and place the image on your desktop. 5. Launch Autopsy. 6. In the “Welcome” window, click the button named “Create New Case.” 7. In the “New Case Information” window add a case name. Click the “Next” button. 8. Click the “Finish” button. 9. The “Add Data Source” window will appear. It may take a moment to launch. 10. In the “Add Data Source” window browse to drive4.E01 and click the “Next” button.

82

Digital Forensics Workbook

11. The user will be presented with a list of Ingest Modules, which will run automatically after the evidence file is loaded. Deselect all items except “Hash Lookup.” The Ingest Modules screen should be identical to the picture shown in Figure 8-11.

Figure 8-11: Ingest Modules with only Hash Lookup selected 12. Click on “Hash Lookup” in the Ingest Modules window and then click the “Advanced” button. 13. The “Hash Set Configuration” window will appear as shown in Figure 8-12.

Figure 8-12: Hash Set Configuration window 14. Click the “Import Database” button.

83

15. In the “Import Hash Database” window, as shown in Figure 8-13, browse to the hashset.txt file on your desktop. After selecting the file, click the “OK” button. (For this exercise, we will treat the list of three hashes as identifiers for “known bad” files, which is the default setting.)

Figure 8-13: “Import Hash Database” window with hashset.txt 16. After clicking the “OK” button, the new hash set will appear in the “Hash Set Configuration” and the text will be displayed in red as shown in Figure 8-14.

Figure 8-14: Hash Set Configuration with new hash set 17. Unless the hash set is indexed, Autopsy will not be able to use the hashes for searches. Click the “Index” button in the “Hash Set Configuration” window. (Note: If the list of hashes is updated, the database will need to be re-indexed in this window.) 18. Click the “OK” button.

84

Digital Forensics Workbook

19. Ensure the checkbox next to the hash set is marked as shown in Figure 8-15.

Figure 8-15: Enabled hash set 20. Click the “Next” button. 21. Click the “Finish” button. 22. The search based on the hash sets will be run automatically. 23. The results of the hash set will be displayed in the main Autopsy window as shown in Figure 8-16. The list of matches will be displayed in the Tree Viewer ! with details in the Results Viewer ".

Figure 8-16: Autopsy hash lookup results 85

24. How many files matched those values listed in the hash set? In this example, only three of the five hash values were found in the drive4.E01 evidence file. 25. Note: If the hash lookup returned no results, ensure that: a. There were no typos in the list of hashes. b. The hash set is still enabled. Autopsy has been known to disable the hash set on an initial launch. Additional Exercises: 1. Download drive11.E01 from the Digital Forensic Workbook web site. 2. Create a hash set in Autopsy with the following values: 087f8deebae1d99821b276a9f8b97730 f25849c99f2350455534b43d74e1264f 26ddb1ff59bd0052de9cbafcf4943dcf 18ce1488e14e2b70a8bea174c11db7f6

filea fileb filec filed

3. Run the hash lookup. d. What files matched the hashes provided? 4. Modify the hash set to include the following hash: 89952c4fb4da949598e6c97bf4acccc6 filee 5. Re-run the Hash Lookup Ingest Module. e.

How many more files were identified with the new search?

86

9 FILE SIGNATURE ANALYSIS File signatures, also called “Magic Numbers,” are embedded within a file’s header and the signatures are used to identify a file’s type. They are typically between two and ten bytes long. Some operating systems rely on file signatures to associate a data file with the application that can be used to open and modify the file. Some operating systems, such as Windows, do not rely on file signatures. Instead, Windows relies on a file’s extension. The issue with this convention is a file’s name and extension may not be available during an investigation, e.g., the name of the file is corrupt and unreadable or a user changed a file extension intentionally or unintentionally. As a result, the true nature of a file may be obscured. File signature analysis is the process of comparing a file’s signature with its file extension.

87

Activity 9-1: File Signature Analysis In this activity you will examine several files to determine their signatures and then look up those values online to determine the file’s type. Tools: Product: Manufacturer: Web site:

WinHex X-Ways http://www.x-ways.net/winhex/

Instructions: 1. Download and install WinHex. (Another hex editor may be used, if desired.) 2. Download the compressed file “File_Signature-Examples.zip” from the Digital Forensics Workbook web site. 3. Extract the contents of the compressed file and place them on the desktop of the computer. Note that none of the files have extensions. 4. Launch WinHex. You will see the screen as shown in Figure 9-1.

Figure 9-1: WinHex window

88

Digital Forensics Workbook

5. Open the file named “File1” in WinHex. The window will appear as shown in Figure 9-2.

Figure 9-2: WinHex window with “File1.” 6. What are the first eight bytes of the file? The first eight bytes are 50 4B 03 04 14 00 06 00 !. 7. Open a browser and go to: http://www.garykessler.net/library/file_sigs.html. 8. Search the web page for the signature identified in step six. 9. What is the file extension associated with the extension? The file signature is associated with a Microsoft Office Open XML Format (OOXML) file. All Office files, including Word documents, Excel spreadsheets, and PowerPoint presentations contain the same signature. To determine which type of Microsoft Office file it could be, one of two approaches can be take: Either review the metadata in the file’s header to determine the actual file type or use trial and error. In trial and error, an examiner would add an Office extension to the file, e.g., .docx, .xlsx, .pptx, and attempt to open it. This file is specifically a Microsoft Word document. Additional Exercises: a.

What is the file signature, file type, and file extension associated with File2? 89

b. What is the file signature, file type, and file extension associated with File3? c.

What is the file signature, file type, and file extension associated with File4?

d. What is the file signature, file type, and file extension associated with File5? e.

What is the file signature, file type, and file extension associated with File6?

f.

What is the file signature, file type, and file extension associated with File7?

g. What is the file signature, file type, and file extension associated with File8? h. What is the file signature, file type, and file extension associated with File9?

90

10 FILE ANALYSIS When analyzing files recovered from a piece of media, it is important to examine more than the just the contents, i.e., the visible body of the file, itself. Frequently, when a file is saved to a piece of media, additional data is saved. This data describes the file in question and it can be extremely valuable. This "data about data" is frequently called meta data. The most commonly analyzed meta data includes: filenames, timestamps, and file ownership. Most of this data is stored in the file system and not inside the file, itself; however, it is important to realize that there is a variety of meta data that is generated by different sources and stored in different places. This information can provide valuable leads in cases. Meta data was extremely important in identifying the MAC address of the computer that created the “I LOVE YOU” virus in May 2000. (Did you know that Microsoft Office 97 recorded the MAC address of the computer that created the file in the file, itself? Later versions of Microsoft Office stopped recording this information.) In a different incident, meta data was retrieved from pictures that were uploaded to hacked FBI web sites. This meta data, which contained geo-coordinates, helped lead to the capture of Higinio O. Ochcoa III, a.k.a., w0rmer, of Cabin Cr3w. Meta data can be created by a variety of sources, including: • the operating system • the application, which creates the file, itself • the user (which is a manual process) Meta data can be stored in a variety of locations, including: • on the file system • within the file, itself • within external files, such as log files or shortcuts in the “Recent” directory (on a Windows-based computer) When meta data is created automatically and stored in a location, which cannot be typically modified by the user, the meta data has inherent reliability. Meta data, which is created by the user and can subsequently be modified by the user is less reliable, because anyone could modify the data at any time; however, this does not mean it has no value. User files frequently contain meta data within the files, but the user typically does not see or alter this information. This information is often stored in the file’s header or in the file’s footer. This may include the file’s author, the number of revisions, the name of the last editor, time stamps, and other valuable information. When Microsoft started using Open XML as the format for its user files, the amount of meta data stored in the file increased. This information can be accessed in a number of ways including through the use of an XML viewer. 91

Most, but not all, digital photos are saved in the exchangeable image file (EXIF) standard, which retains a significant amount of information. The EXIF standard is used with the following file types: JPG, TIF, NEF, ORF, MRW, PSD, RAF, and MOV. This information resides within the header of the file and is typically transparent to the user. If an examiner can recover the pictures from a smartphone or camera, chances are he/she can learn a great deal about the circumstances surrounding a photo. The following is a list of meta data that can be saved by current smartphones inside digital photos: • The manufacturer and model of the phone • The time when the picture was taken • The original resolution • The exposure setting • The focal length setting • Whether or not the flash was used • The GPS coordinates of the phone at the time the picture was taken

92

Digital Forensics Workbook

Activity 10-1: File Analysis – Microsoft Office Files In this activity you will examine meta data contained within Microsoft Office files. Tools: Product: Manufacturer: Web site:

Windows native compression utility Microsoft Corporation http://www.microsoft.com

Instructions: 1. Download the zip files named “File_Analysis.zip” from the Digital Forensics Workbook web site. 2. Extract the Word document named “File_Analysis.docx” from the zip file and place it on your desktop. 3. Do not open the file after downloading it. 4. Rename the file from “File_Analysis.docx” to “File_Analysis.zip”. 5. The file’s icon should look like the one shown in Figure 10-1.

Figure 10-1: Renamed file 6. Open the renamed file. 7. After opening the renamed file, you should see a window identical to what is shown in Figure 10-2.

Figure 10-2: Internal elements of Word document 93

8. Double-click on the item named “docProps.” You will reveal two files: app.xml and core.xml. 9. Double-click on the item named “core.xml” to display the XML contents in a browser window. You should see a window similar to what is shown in Figure 10-3.

Figure 10-3: Data within core.xml 10. Based on the contents of core.xml, who created the Word document? The Word document was created on a computer, where the username in Microsoft Word was set to “Charles Galileo” !. Typically, the username and user’s initials are added to Word on installation of the software. (Note: It is possible to manually change this meta data by right-clicking a file and going to “Properties.”) 11. Based on the contents of core.xml, who last modified the Word document? The Word document was last modified on a computer, where the username in Microsoft Word was set to “Michael Robinson” ". (Note: This value is not modifiable through a file’s “Properties” window.) 12. Based on the contents of core.xml, when was the document last modified? The document was last modified on December 12, 2013 at 15:43:00 zulu #. 13. Based on the contents of core.xml, how many times was the document modified? The document was modified three times $. 14. What is the benefit of looking through the properties this way as compared to looking at properties from within the Microsoft Word application? Microsoft Word will update the properties of the file, when it is used to open the Word document. This will ensure that the native application does not alter the file during the examination. Additional Exercises: Extract the PowerPoint presentation file and Excel spreadsheet from the zip file. a.

Who created the PowerPoint presentation?

94

Digital Forensics Workbook

b. When was the PowerPoint presentation created? c.

Who last modified the PowerPoint presentation?

d. When the PowerPoint presentation modified? e.

Who created the Excel spreadsheet?

f.

When was the Excel spreadsheet created?

g. Who last modified the Excel spreadsheet? h. When was the Excel spreadsheet last modified?

95

Activity 10-2: File Analysis – EXIF data from Graphics Files In this activity you will examine EXIF data stored in the header of a graphics file. Tools: Product: Manufacturer: Web site:

ExifRead GMU various

Instructions: 1. Download the file “Photos_Example.zip” from the Digital Forensics Workbook web site and extract the contents to the desktop of your computer. 2. Launch the self-standing application called ExifRead.exe. 3. Upon launching the application, you should see a window identical to what is shown in Figure 10-4.

Figure 10-4: ExifRead.exe window

96

Digital Forensics Workbook

4. Drag the file called photo1.jpg into the open ExifRead.exe window. The EXIF data will be displayed as shown in Figure 10-5.

Figure 10-5: EXIF data from photo1.jpg

97

5. Based on the EXIF data, when was the picture taken? The picture was taken on June 7, 2014 at 16:47:07 !. 6. On what device was the picture taken? The picture was taken on an Apple iPhone 5s ". 7. Was the picture taken with the front camera lens or the back camera lens? The picture was taken the lens on the back of the camera #. 8. What were the GPS coordinates of the camera/phone, when the picture was taken? The GPS coordinates were North 42° 4337.2, West 78° 4849.48 $. (Note: North is positive (+), South is negative (-), East is positive (+), and West is negative (-). 9. In a browser open http://www.google.com/maps and determine the location of the coordinates. The location is shown in Figure 10-6. It is just outside Armor, New York. Zooming in on Google Maps places the camera at 211 Sherburn Drive, Hamburg, NY 14075.

Figure 10-6: Location of camera at time picture was taken Additional Exercises: i.

When was photo2.jpg taken based on the EXIF data?

j.

Where was the camera located when photo2.jpg was taken based on the EXIF data?

k. Are there any indicators in the EXIF data, which suggest the picture or EXIF data in photo2.jpg were manipulated by a third-party tool? l.

When was photo3.jpg taken based on the EXIF data?

98

Digital Forensics Workbook

m. Where was the camera located when photo3.jpg was taken based on the EXIF data? n. Are there any indicators in the EXIF data, which suggest the picture or EXIF data in photo3.jpg were manipulated by a third-party tool? o. When was photo4.jpg taken based on the EXIF data? p. Where was the camera located when photo4.jpg was taken based on the EXIF data? q. Are there any indicators in the EXIF data, which suggest the picture or EXIF data in photo4.jpg were manipulated by a third-party tool? r.

When was photo5.jpg taken based on the EXIF data?

s.

Where was the camera located when photo5.jpg was taken based on the EXIF data?

t.

Are there any indicators in the EXIF data, which suggest the picture or EXIF data in photo5.jpg were manipulated by a third-party tool?

99

100

Digital Forensics Workbook

11 INTERNET HISTORY Visiting web sites is a normal activity for computer users. It would be a struggle to find a networked computer, which has not been used to access or visit a web site. Not so long ago, if a user wanted to surf the web, s/he used Microsoft Internet Explorer. Now there are a number of browsers and it seems users have made up their own minds as to which browser they like the most. When Internet communication relied on expensive, relatively slow connections, e.g., dial-up connections, the use of caching was fairly important to improve the user’s experience and save bandwidth for more important, necessary communication. Even with high-speed access, browsers still cache data locally, because it is more efficient to retrieve data from a local cache rather than re-download it. Additionally, a web page can be viewed in an offline mode, when no Internet connection is available. These caches and cookies can provide valuable information into user activity. It can also reveal attack vectors in phishing or drive-by malware. What makes matters relatively complicated is sorting through all of the data contained within the spaghetti mess known as the Internet history and cache. When examining a computer system for access to the Internet, keep in mind that each browser will have its own cache. Table 11-1 contains the location of caches for some popular browsers:

Mac OS

Windows 7

OS

Browser Apple Safari Google Chrome Microsoft Internet Explorer Mozilla Firefox Apple Safari Google Chrome Microsoft Internet Explorer Mozilla Firefox

Cache Location C:\Users\username\AppData\Local\Apple Computer\Safari\ C:\Users\username\AppData\Local\Google\Chromium\profile\Cache\ C:\Users\username\AppData\Local\Google\Chrome\User Data\profile\Cache\ C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\ Content.IE5\ C:\Users\username\AppData\LocalLow\Microsoft\Internet Explorer\ C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\profile.default\places.sqlite C:\Users\username\AppData\Local\Mozilla\Firefox\Profiles\profile.default\Cache\ /Users/username/Library/Caches/com.apple.Safari/ /Users/username/Library/Caches/Chromium/profile /Cache /Users/username/Library/Caches/Google/Chrome/profile/Cache Discontinued in 2003 /User/username/Library/Application Support/Firefox/Profiles/profile.default/places.sqlite /Users/username /Library/Caches/Firefox/Profiles/profile.default/Cache/

Table 11-1: Location of browser caches on Windows and Mac OS Client-side cookies and a Downloads directory can also provide a history of Internet activity in addition to a browser cache. Client-side cookies, which are 4KB text files or smaller, contain a download time as well as an expiration date, along with other user settings to personalize a user’s browsing experience. When combining analysis of data from a local system, the information can be aligned with network logs, such as those maintained by firewalls, intrusion detection systems, web proxies, DNS servers, etc.,. Collectively, the information provides a holistic view of Internet communication.

101

Activity 11-1: Analyzing Chrome Internet Cache and History In this activity you will examine the cache maintained by Google Chrome using NirSoft’s ChromeCacheView and ChromeHistoryView. Tools: Product: Manufacturer: Web site:

ChromeCacheView NirSoft http://www.nirsoft.net/web_browser_tools.html

Product: Manufacturer: Web site:

ChromeHistoryView NirSoft http://www.nirsoft.net/web_browser_tools.html

Instructions: 1. Download ChromeCacheView. Extract the executable from the compressed file and place it on the desktop. 2. Download ChromeHistoryView. Extract the executable from the compressed file and place it on the desktop. 3. Download the file named “Compressed_Caches.zip” from the Digital Forensics Workbook web site and extract the folders to your desktop. (Keep the folder structures intact.) The cache for Google Chrome was extracted from the following location: C:\Users\admin\AppData\Local\Google\Chrome\User Data\default\Cache\ 4. Launch ChromeCacheView. 5. By default, when ChromeCacheView is launched, it will point to the cache stored on the local hard drive for the user account, which launched the application. 6. From the main menu select “File” and then choose “Select Cache Folder.” Browse to the following location: C:\Users\username\Desktop\Google\AppData\Local\Google\Chrome\User Data\default\Cache, where “username” is the name of the profile on your computer, and click the “OK” button. The results of the loaded cache will appear as shown in Figure 11-1.

102

Digital Forensics Workbook

Figure 11-1: Cache from Google Chrome 7. Click on the column labeled “URL” to sort the data alphabetically by URL. 8. When was www.starwars.com visited? www.starwars.com was visited on October 17, 2015 at 8:53:32 PM 9. When was the graphic “apple-touch-icon.png” last updated on the Star Wars web site? The picture was last updated on the server on October 15, 2015 at 4:51:17 PM. 10. When was www.cnn.com visited? The CNN homepage was visited on October 17, 2015 at 8:53:00 PM. 11. Launch ChromeHistoryView. By default, the application will point to the history stored on the local hard drive for the user account, which launched the application 12. On main menu select “Options” and then select “Advanced Options.” 13. Check the box next to “Use the following history file.” 14. Browse to the following location: C:\Users\username\Desktop\Google\AppData\Local\Google\Chrome\User Data\Default\History, where “username” is the name of the profile on your computer, and click the “OK” button. The results of the loaded cache will appear as shown in Figure 11-2.

103

Figure 11-2: Google Chrome’s History of Visited Sites 15. How many sites were visited? Only three web sites were visited, even though four are listed. The user went to http://www.yahoo.com and was automatically referred to https://www.yahoo.com. (Note: All of the content, which appeared in Figure 11-1, was related to visiting the three web sites listed in Figure 11-2. Many advertisements, banners, and scripts appear on those pages and are automatically loaded by the browser.) Additional Exercises: Sort the list of cached pages and objects by Server Response. a.

How many of the visited pages, as shown in Figure 11-1, returned server codes other than 200/OK?

b. Which sites provided redirects associated with moves being either temporary or permanent?

104

Digital Forensics Workbook

Activity 11-2: Analyzing Firefox Internet Cache and History In this activity you will examine the cache maintained by Mozilla Firefox using NirSoft’s MozillaCacheView and MozillaHistoryView. Tools: Product: Manufacturer: Web site:

MozillaCacheView NirSoft http://www.nirsoft.net/web_browser_tools.html

Product: Manufacturer: Web site:

MozillaHistoryView NirSoft http://www.nirsoft.net/web_browser_tools.html

Instructions: 1. Download MozillaCacheView. Extract the executable from the compressed file and place it on the desktop. 2. Download MozillaHistoryView. Extract the executable from the compressed file and place it on the desktop. 3. Download the file named “CompressedCaches.zip” from the Digital Forensics Workbook web site and extract the folders to your desktop. (Keep the folder structures intact.) The cache for Mozilla Firefox was extracted from the following locations: C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\profile.default\Cache\ C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\profile.default\places.sqlite\ 4. Launch MozillaHistoryView. 5. When MozillaHistoryView is launched, the user will be prompted to enter the path to the places.sqlite database. By default, the application will look inside the local user’s profile. Browse to C:\Users\username\Desktop\Firefox\AppData\Roaming\Mozilla\Firefox\Profiles\ 9asfx3h5.default\places.sqlite, where “username” is the name associated with your user profile. (Note: It will be necessary to change the file type setting in the lower right corner of the screen using the pull-down menu. Change the option from “Mozilla history.dat to File (*.dat)” to “Firefox 3 places File (*.sqlite).) 6. Click the “OK” button. The results of the parsing will be displayed as shown in Figure 11-3.

Figure 11-3: Mozilla Firefox history of visited sites 105

7. How many sites were visited? Four sites were visited. Mozilla.org was visited after the installation and then three separate sites were visited: www.bbc.com, www.dccomics.com, and www.nytimes.com. 8. Scroll to the right site of the window and review the column named “Record Index.” 9. Which site was visited last? The New York Times web site was the last site visited, which occurred on October 17, 2015 at 9:39:26 PM. Additionally, the URL for the site was typed or copied-and-pasted into the browser. 10. Launch MozillaCacheView. 11. Redirect MozillaCacheView to the following directory: C:\Users\username\Desktop\Firefox\AppData\Local\Mozilla\Firefox\Profiles\9asfx3h5.default\ cache2 and press the “OK” button. 12. The results of the parsing are shown in Figure 11-4.

Figure 11-4: Files cached by Mozilla Firefox 13. For the four visited web pages, how many items were cached? For the visited pages, 587 items were cached. 14. What is the only site to return an HTTP status code of 206, where the server returned only partial content? The web site r9---sn-5uaezney.c.2mdn.net, which provides video content and advertisements, was the only site to return this status code. Additional Exercises: Download and run “BrowsingHistoryView” from the NirSoft web site. This application will browse the histories of the following four browsers at the same time on the system on which it has been installed. 106

Digital Forensics Workbook

12 E-MAIL ANALYSIS E-mail containers, whether they are stored locally, on a corporate mail server, or on webmail sites, have become the great filing cabinets of our time. Many users only delete data, when a quota is imposed on them. These containers will contain a mix of official correspondence, personal correspondence, junk mail, and phishing attacks. These correspondence will be saved both with and without attachments. All of this leads to two points: First, there is an abundance of e-mail and sifting through it will take effort. Second, people use multiple e-mail addresses, both personal and corporate/employment related. This means that in addition to looking at corporate mail servers and local information stores, examiners will need to check browsers and web mail clients for other mail. A corporation may have both a Data Loss Prevention (DLP) appliance and journaling system attached to the corporate mail server, but that will not help if users are exfiltrating data via personal web mail. When analyzing e-mail, it’s very important to analyze the e-mail header to identify the source and destination of the email. This is particularly important in situations, where a person attempts to refute sending an e-mail or where investigators attempt to identify the source of spam/phishing scams. There are multiple techniques, which can be used, to examine an e-mail’s header. Some investigators start from the bottom of the header and work up to the top, while others prefer a top-down approach. Investigators are typically more comfortable with one approach over another, but that is not to say that one approach is more correct than another. Adding to some of the confusion in the e-mail header is the addition of optional information by some mail servers. Nearly all mail clients, including webmail clients, allow for the extraction of headers. E-mail headers typically have the following information: • The sender’s e-mail address • The address to which returns or replies are sent • The recipient of the mail server • The name(s)/IP address(es) of the mail server(s) used to transmit the e-mail • The date and time when the e-mail was sent • The subject line A great deal of information within an e-mail header can be spoofed, and therefore it should be substantiated with multiple data points.

107

Activity 12-1: E-mail Header Analysis In this activity you will examine several e-mail headers which are from Yahoo!, Gmail, AOL and Microsoft Office 265. Tools: Product: Manufacturer: Web site:

Text file reader various various

Instructions: 1. Download the file named “e-mail_headers.zip” from the Digital Forensics Workbook web site. Extract the files from the compressed file and place them on your desktop. 2. Open the file named “Header_from_Yahoo_e-mail_account.txt.” This e-mail header is from an email sent from a Gmail user to a Yahoo! user. (Note: If you have a Yahoo! e-mail account, the e-mail header can be retrieved by going to your inbox with a browser, right-clicking on an unopened e-mail and selecting “View Full Header” from the pop-up menu. For this activity, this step has already been completed and the output has been saved to a text file.) The header appears below in Figure 12-1.

Figure 12-1: E-mail header form Gmail account to Yahoo! account 3. Based on the e-mail header, from what account did the e-mail originate?

108

Digital Forensics Workbook

The e-mail originated from [email protected] !. 4. Based on the e-mail header, who was the intended recipient? The e-mail was sent to [email protected] ". 5. Based on the e-mail header, which e-mail server sent the e-mail? The e-mail came from mail-we0-f172.google.com with IP address 74.125.82.172 #. 6. Based on the e-mail header, which e-mail server received the e-mail? The e-mail was received by mta1577.mail.ne1.yahoo.com with IP address 72.30.236.172 $. 7. Based on the e-mail header, when did the Yahoo! mail server receive the e-mail? The e-mail was received by Yahoo! on Wednesday, November 6, 2013 at 18:16:33 +0000 %. 8. Based on the e-mail header, if the recipient replies to the email, then to where will the reply go? Replies will go to [email protected] &. 9. Open the e-mail header named “Mailheader2.png.” It is shown in Figure 12-2.

Figure 12-2: E-mail header from AOL mail account to Gmail account 109

10. What are the names and IP addresses of the servers, which processed the mail server from initial sending server to final receiving server? The servers in order of transfer were: core-mkb001b.r1000.mail.aol.com (172.29.98.1) ! to mtaomgmb03.r1000.mx.aol (172.29.41.74) " to imr-da04.mx.aol # and then to mx.google.com $. 11. Did the user send the mail through a thick mail client or through a browser, webmail interface? The e-mail was sent through a browser, webmail interface %. 12. What was the public facing IP address of the sender? The IP address of the sender was 214.16.41.245 &. While AOL is not nearly as popular as it once was, this header provides an example of significant information: Certain webmail services, such as AOL and Yahoo!, record the public facing IP address of the sender in the header. Additional Exercises Examine the e-mail header named “Header_from_gmail_account.txt.” a.

From which e-mail account did it originate?

b. What was the public facing IP address of the computer, which signed into Yahoo! to send the e-mail? c.

What is the first e-mail server to receive the e-mail and forward it?

Examine the e-mail header named “Header_from_Office365.rtf.” d. Who was the sender of the e-mail? e.

To whom was the e-mail sent?

f.

What anti-virus mail appliance/product scanned the e-mail?

110

Digital Forensics Workbook

13 PREFETCH FILES With Windows XP, Microsoft introduced Prefetch to improve a computer’s performance. When an application is launched, whether it is an authorized application or malware, Windows monitors the system for ten seconds to determine which files are read. This data is recorded in a file stored in the Windows Prefetch directory. On subsequent launches of an application, Windows reads the data written to the Prefetch file so the operating system can more efficiently start the application. The Prefetch directory typically holds up 128 files and the operating system performs periodic, automatic maintenance of the directory’s contents. Prefetch applies to Windows desktop platforms and is not enabled on Windows Servers by default. This was done primarily because applications are not continuously closed and re-launched on servers. The presence of a Prefetch file can indicate whether or not a file was launched, but the real value of a Prefetch file is the data contained within it. Within a Prefetch file are valuable artifacts associated to the running an application, including: • The name and location of the executable that was run. • A list of files that were read within ten seconds of the application being launched. • The number of times the application has been run. • The date and time the application was last run. Prefetch files use the .pf extension. Within the name of the Prefetch file is a hash of the path that contains the executable, which was run. With Windows Vista, Microsoft enhanced the Prefetch directory to include usage patterns and changed the name of the functionality to SuperFetch. There are several tools available to analyze Prefetch files, which use command line or graphical interfaces. Command line tools allow for scripting and batch processing while tools with GUIs allow for ease of use.

111

Activity 13-1: Prefetch File Analysis In this activity you will analyze a series of Windows Prefetch files using WinPrefetchView. Tools: Product: Manufacturer: Web site:

WinPrefetchView NirSoft http://www.nirsoft.net/utils/win_prefetch_view.html

Instructions: 1. Download and install WinPrefetchView from the web site. 2. Download the compressed file “Prefetch_Examples.zip” from the Digital Forensics Workbook web site. Extract the folder from the compressed file and place it on the desktop. 3. Launch WinPrefetchView. 4. By default, WinPrefetchView will automatically point to C:\Windows\Prefetch. 5. On the main menu, select “Options” and then select “Advanced Options.” 6. In the dialog box browse to the “Prefetch Examples” directory, which is on the desktop. 7. After selecting the “Prefetch Examples” directory, a screen identical to the one displayed in Figure 13-1 will be shown.

Figure 13-1: WinPrefetchView 8. In the top half of the window, click on the Prefetch file for Autopsy, which uses the name “AUTOPSY64.EXE-49BA838E.pf” !.

112

Digital Forensics Workbook

9. How many times was the application run? Based on the data in the “Run Counter” column, the application was run twice ". 10. When was the last time the application was run? Based on the “Last Run Time” column, the application was last run on October 7, 2015 at 2:36:22PM #. 11. Where is the executable stored on the computer’s hard drive? Based on the data in the “Process Path” column, the application is located at: C:\PROGRAM FILES\AUTOPSY-3.1.3\bin\AUTOPSY64.EXE $. 12. In the lower portion of the window, click on the column header named “Index” to place the called files in ascending order. 13. Within ten seconds of the application being launched, how many Dynamic Link Library (.dll) files were accessed? Twenty-seven Dynamic Link Library files are listed. 14. Based on the review of the files that were accessed, where is the configuration file for Autopsy located? The configuration file for Autopsy, i.e., AUTOPSY.CONF, is located at: C:\PROGRAM FILES\AUTOPSY-3.1.3\etc\AUTOPSY.CONF %. Additional Exercises: Examine the Prefetch files provided in the “Prefetch – Examples” folder and answer the following questions: a.

How many Prefetch files exist for the Notepad application and what are their names?

b. What conclusion can be drawn based solely on the names of the Prefetch files associated with Notepad? c.

What is the location of the executable for the various Notepad Prefetch files?

d. When was the last time the Microsoft Management Console was run? e.

How many times was the command prompt run?

f.

Based on the Prefetch files, what is the process path associated with the running of Java?

g. Which browser was most often used – Microsoft Internet Explorer, Mozilla Firefox, or Google Chrome?

113

114

Digital Forensics Workbook

14 SHORTCUTS/LINK (.LNK) FILES AND JUMP LISTS When reconstructing user activity, it is sometimes helpful to identify which files, volumes, and applications were accessed. Relying solely on file system timestamps is often insufficient to show, which files were opened. Fortunately, there are additional artifacts on a Windows-based system, which can be examined to perform event construction. Included among this list of files are shortcuts, also known as shell links (link files), which use the .lnk extension. Shortcuts are created to improve a user’s experience and make it easier to access frequently used items. Rather than dig down into a nested directory structure within a user profile to open a Microsoft Word document or navigate through the “Program Files” directory to find an application, a user can access a shortcut that points to the target file and opens it. Shortcuts are created on a system in addition to Most Recently Used (MRU) Registry entries, which also point to recently accessed files. Shortcuts are created in four ways on a Windows-based system: • During the installation of software a shortcut may be added to the Start menu, on the desktop, and in the Quick Launch tool bar. • When a user opens a file or volume via Explorer, Windows will automatically generate a shortcut and place it within the user’s roaming profile in the Recent directory, i.e., C: \Users\username\AppData\Roaming\Microsoft\Windows\Recent\ • When a user opens a Microsoft Office file, Office will automatically generate a shortcut and place it within the Recent directory used by Office, i.e., C:\Users\username\AppData\Roaming\Microsoft\Office\Recent\ • A user may manually create a shortcut, by right-clicking a file and choosing “ Send To” > “Desktop (Create Shortcut)” from the pop-up menu or right-clicking in the whitespace of a folder and selecting “New” > “Shortcut” from the pop-up menu. Typically, users do not manage or delete shortcuts, which makes them valuable. Shortcuts may exist long after a target file has been removed from a system. In addition to shortcuts, Microsoft introduced Jump Lists in Windows 7, which perform a similar function and include references to frequently and recently used files, applications, and browser activities. Jump Lists are stored in a different location and format than shortcuts. Jump Lists are stored in: • •

C:\Users\username\AppData\Microsoft\Windows\Recent\AutomaticDestinations\[AppID].automaticDestinations-ms C:\Users\username\AppData\Microsoft\ Windows\Recent\CustomDestinations\[AppID].customDestinations-ms

Shortcuts and Jump Lists contain information beyond mere pointers to target files. They may contain: • The name and path to the target file or volume. • The target file’s size. • A set of timestamps, which describe the target file. • The name and serial number of the volume holding the target file. • The first available MAC address of the computer on which the target file was accessed. 115

Activity 14-1: Shortcut File Analysis In this activity you will analyze a series of shortcuts recovered from a Windows 7 computer. Tools: Product: Manufacturer: Web site:

MiTec Windows File Analyzer Michal Mutl http://mitec.cz/wfa.html

Instructions: 1. Download MiTeC Windows File Analyzer. Extract the executable from the compressed file and place it on the desktop. 2. Download the compressed file named “Shortcuts.zip” from the Digital Forensics Workbook web site and extract the folder from it and place it on the desktop. 3. Launch MiTeC Windows File Analyzer. The application will appear as shown in Figure 14 -1.

Figure 14-1: MiTeC Window File Analyzer 4. From the main menu, select “File” and the select “Analyze Shortcuts…” By default, the application automatically points to the Windows Recent directory on the user profile from which the application is running. 5. Browse to the folder on the desktop with the stored shortcuts and click “OK.” 6. Identify the operating system which generated the shortcuts. In this example, choose Windows 7 and click the “OK” button. The shortcuts in the directory will be parsed automatically. 116

Digital Forensics Workbook

7. The results will be displayed as shown in Figure 14-2.

Figure 14-2: Shortcuts parsed by MiTeC Windows File Analyzer 8. What is the name of the evidence file, which was accessed? The name of evidence file was drive1.E01 !. 9. Where was the target file for the evidence file located? The evidence file was located on F:\Forensic_Images\ ". 10. When was the evidence file last accessed as indicated by this shortcut? The file was last accessed on October 10, 2015 at 1:45:53 PM #. It is possible that the evidence file was accessed since that time on a different computer. 11. What was the size of the evidence file, when it was accessed? The file was 2,394,116 bytes in size $. 12. What was the serial number of the volume on which the evidence file was stored? The serial number of the volume containing the evidence file was D808-32E4 %. 13. What was the MAC address of the computer on which the evidence file was accessed? The MAC address in the shortcut was 78:31:C1:C1:72:3D &. The computer may have had multiple MAC addresses as in the case of computers having multiple Ethernet adapters, e.g., Bluetooth Ethernet adapters, wireless adapters, and network interface cards. 14. Was the Smartphone_Photos.zip file accessed from the same computer as the evidence file? The NetBIOS retrieved in the shortcuts was identical '; however, the MAC addresses were different. The files were accessed from the same computer; however, the Ethernet adapters were not running during both instances. 117

Additional Exercises: 1. Download the file named “Shortcuts-2.zip” from the Digital Forensics Workbook web site and extract the contents to the desktop. 2. Launch MiTeC Windows File Analyzer and analyze the shortcuts extracted from “Shortcuts-2.” a.

What was the volume name of the external storage connected to the computer under the driver letter F:?

b. What was the name of the computer on which the directory “2011-06-01 Mexico” existed? c.

When was the file named 28.jpg created? Where was it stored? When was it last accessed?

d. Based on the data returned from MiTeC Windows File Analyzer for the shortcut named “Invoice LH1012, PCMA, Cyber Security.link,” what type of file was the target? When was it created? On what type of file system was it stored?

118

Digital Forensics Workbook

Activity 14-2: Jump List Analysis In this activity you will analyze a series of Jump Lists from a Windows 7 computer. Tools: Product: JumpLister Manufacturer: Mark Woan Web site: http://www.woanware.co.uk/forensics/jumplister.html Instructions: 1. Download the JumpLister application and extract the contents of the compressed file to a folder on your desktop. 2. Download the file named “JumpLists.zip” from the Digital Forensics Workbook web site and extract the folder to your desktop. 3. Launch JumpLister. 4. From the main menu select “File” and then “Load” from the pull-down menu. 5. In the “Open” dialog box navigate to the JumpLists\AutomaticDestinations. 6. Ensure the Jump List type is set to AutomaticDestinations !, as shown in Figure 14-3.

Figure 14-3: Jump List type 7. SHIFT-click to highlight all of the files in the directory. 119

8. Click the “Open” button. 9. The Automatic Destination Jump Lists will be parsed and displayed as shown in Figure 14-4.

Figure 14-4: Automatic Destination Jump Lists 10. Clicking a file name in the top pane ", will display the file’s contents in the lower pane. In this example the Jump List for Windows Explorer was selected. 11. In the lower left pane will be a tree listing of items in the Jump List. The last file in the tree will always be DestList #. 12. Clicking on a file in the tree will display its contents in the lower right pane. In this example DestList was selected. 13. DestList contains a list of the items listed directly above it $. In the case of the Windows Explorer Jump List, DestList also contains directories, which were accessed, e.g., rows 17, 18, and 19 %. Since the directory entry has no size, these items do not appear in the tree in the lower left pane $. 120

Digital Forensics Workbook

14. In the top pane of the JumpLister window, click on the Jump List file for Google Chrome. This is shown in Figure 14-5.

Figure 14-5: Google Chrome Just List file 15. What is the one file, which was accessed by Google Chrome, and when was it accessed? A file named lp_readme.htm ', which is on the desktop, was accessed by Google Chrome on October 13, 2015 at 10:40:44AM ). The file was originally created on September 9, 2015 (. Additional Exercises: 1. Download the file named “jumplists-2.zip” from the Digital Forensics Workbook web site and extract the contents to the desktop. 2. Analyze the jump lists using JumpLister. e.

Based on the information returned from JumpLister, when was Remote Desktop, i.e., mstsc.exe, last run?

121

f.

What was the name of the file accessed by Safari?

g. How many files were accessed by Notepad and what files were accessed by it that were not text, i.e., .txt, files? h. The owner of the computer from which these Jump Lists were extracted is in the middle of a copyright infringement law suit. The owner is claiming that her graduate thesis was written before someone else published a nearly identical work on March 14, 2011. Based on the Jump Lists for Microsoft Word, when was the draft thesis saved to media?

122

Digital Forensics Workbook

15 THUMBNAIL CACHES For over 25 years people have been interacting with computers running operating systems through graphical user interfaces. Users have found it easier to navigate through a sea of icons rather than through a text-based command line. In addition to providing standard icons of files and folders, operating systems have been trying to make file access and retrieval even easier by presenting pictures in thumbnail views (or something slightly larger) so users can quickly find the content they want. In order to provide this level of interactivity in a rapid fashion, operating systems and applications have cached the contents of these pictures in small databases. The value of these cached databases comes into play, when investigators attempt to examine artifacts to prove that files existed on a system and were viewed by a user. Pictures and file content may come and go, but the cached database of thumbnail images often retains snapshots of activity long afterwards. Windows XP caches images of files, i.e., BMPs, GIFs, JPGs, PNGs, TIFs, AVIs, MOVs, WMVs, HTML, PDFs, and PPTs, in a hidden database called Thumbs.db automatically whenever a user employed “thumbnail” or “filmstrip” view. For each directory, where these views were made, a Thumbs.db could be found. This database was in an OLE Compound File format. Windows Vista/7 did away with the individual Thumbs.db database structure and replaced it with a centralized set of databases containing thumbnails for the entire user account/profile. Windows cached images based on thumbnail size, i.e., thumbcache_idx.db, 1024x1024 images in thumbcache_1024.db, 256x256 images in thumbcache_256.db, 96x96 images in thumbcache_96.db, and lastly 32x32 images in thumbcache_32.db, in C:\Users\username\AppData\Local\Microsoft\Windows\Explorer\. Windows 8 and higher uses both a Thumb.db and Thumbcache, the same file structure seen in Windows 7. Thumbs.db is created in folders residing under a user profile, i.e., C:\Users\username\. The Thumbs.db file used in Windows 8 does not use the OLE Compound File format found in Windows XP systems. Windows is not alone in its caching of thumbnails. Applications may embed thumbnail views of user created data files. Microsoft Office on Macs caches thumbnail views of the data files within the files, themselves, e.g., Microsoft Excel workbooks contain cached views of the first spreadsheet. This cached view is not always updated dynamically with changes to user content.

123

Activity 15-1: Analyzing Thumbs.db from Windows XP In this activity you will analyze the contents of a Thumbs.db file from a Windows XP system. While Microsoft officially ended support of Windows XP on April 8, 2014, there is still a noteworthy portion of the market, which has this operating system in use. Tools: Product: Manufacturer: Web site:

MiTeC Windows File Analyzer Michal Mutl http://mitec.cz/wfa.html

Instructions: 1. Download Windows File Analyzer and extract the executable from the compressed file and place it on your desktop. 2. Download the compressed file named “Thumbnails.zip” from the Digital Forensics Workbook web site. 3. Extract the Thumbs.db from the compressed file and place it on the desktop. This file was retrieved from a user’s profile, specifically the “My Pictures” directory, which was on a computer running Windows XP. At the time the Thumbs.db file was taken, there were no other files in the “My Pictures” directory. 4. Launch Windows File Analyzer. 5. From the main menu select “File,” then select “Analyze Thumbnail Database,” and then select “Windows XP…” 6. Browse to the Thumbs.db file, which was saved to your desktop. 7. After accessing the file, Windows File Analyzer will parse the database and display the information as shown in Figure 15-1.

124

Digital Forensics Workbook

Figure 15-1: Windows File Analyzer display of Thumbs.db 8. What is the serial number of the volume on which Windows File Analyzer is running? The volume serial number is 1C71-41C7. This is not met data stored within Thumbs.db file, which describes with Windows XP system from which Thumbs.db was taken. Windows File Analyzer queried the local hard drive on which it was running. 9. What is the timestamp associated with the target file named “saint-bernard7.jpg "? The timestamp of the file is October 16, 2015 at 11:44:10 AM (UTC) #. Additional Exercises: Extract Thumbs-2.db from the compressed file and place the file on the desktop. This file came from a Windows XP computer. When the file was captured through an acquisition, there was one file in the directory named “2885232-1434401139208947.png.jpg.” a.

How many pictures were viewed in this directory?

b. What was the subject of these pictures?

125

Activity 15-2: Analyzing Thumbnail Cache from Windows 7 In this activity you will analyze the contents of a thumbnail cache from a Windows 7 computer using OSForensics. Tools: Product: Manufacturer: Web site:

OSForensics PassMark Software http://www.osforensics.com/download.html

Instructions: 1. Download and install OSForensics. 2. Download the compressed file named “Thumbnails.zip” and from the compressed file extract the two files: - thumbcache_256.db - Windows.edb These files were retrieved from the following locations on a Windows 7-based computer: C:\Users\username\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb 3. Launch OSForensics. When prompted to select which version to use, click the button to continue using the free version of the product. Upon launch, the application should appear as shown in Figure 15-2.

Figure 15-2: OSForensics main window 126

Digital Forensics Workbook

4. Click the icon for “ThumbCacheViewer” !. 5. When ThumbCacheViewer launches, the application will point to the local user account’s thumbnail cache " as shown in Figure 15-3.

Figure 15-3: ThumbCache Viewer 6. Click the “Browse” button # and navigate to the file thumbcache_256.db. The results of the cache will be displayed as shown in Figure 15-4.

Figure 15-4: Cached contents within thumbcache_256.db 127

7. Items 11-14 and 21-24 contain caches of what types of images? All of these thumbnail caches are of default Windows desktop background images. 8. The index within the Windows Desktop Search Index, e.g., windows.edb, can be combined with the thumbnail caches to find the file paths of some of the images. Click the “Lookup thumbnail paths…” button $ as shown in Figure 15-4. 9. By default, ThumbCache Viewer will point to the local user’s profile to find the windows.edb file as shown in Figure 15-5.

Figure 15-5: Path to Windows Desktop Search Index 10. Select the radio button next to “Custom Windows search database file” and browse to windows.edb, which is on the desktop. Click the “OK” button. 11. The results of lookup will appear in the window similar to what is shown in Figure 15-6.

Figure 15-6: thumbnail images mapped to locations in Windows search database 128

Digital Forensics Workbook

12. What was the file path for photo4.jpg? The path for the file is C:\Users\admin\Desktop\Trash\Picures\photo4.jpg %. 13. To display all of the cached thumbnail images, click the tab labeled “Thumbnail View” &. The display will appear identical to what is shown in Figure 15-7.

Figure 15-7: Display of cached thumbnail images from thumbcache_256.db Additional Exercises: Open ThumbCache Viewer and examine the contents of thumbcache_96.db. Perform a “lookup” of the thumbnail images using the same windows.edb file as used with thumbcache_256.db. c.

What is the location for photo2.jpg?

d. What are the vast majority of cached thumbnails of?

129

Activity 15-3: Analyzing Cached Images within Microsoft Office Files In this activity you will examine a cached thumbnail contained within Microsoft Office files. Tools: Product: Manufacturer: Web site:

Windows native compression utility Microsoft Corporation http://www.microsoft.com

Instructions: 1. Download the compressed file named “Thumbnails.zip.” From within the file extract the Microsoft Excel Spreadsheet called “Confidential.xlsx” and place it on the desktop. 2. Rename the Excel spreadsheet from “Confidential.xlsx” to “Confidential.zip.” 3. Open the zip file. 4. Open the folder named “docProps,” which is contained within the zip file. 5. Open the file named “thumbnail.jpeg.” The results will match what is shown in Figure 15-8.

Figure 15-8: Thumbnail.jpg 6. The thumbnail image depicts the contents of the first spreadsheet of the Excel workbook. Additional Exercise: Examine the cached thumbnail contained within the file named PowerPoint.pptx. e.

What is contained within the thumbnail?

130

Digital Forensics Workbook

16 GREP SEARCHES During examinations of large forensic images or log files, whether it is part of an e-discovery case or an event reconstruction, it is often necessary to perform automated searches. These searches can crawl through both allocated and unallocated space to find relevant artifacts. These searches can take hours to complete, but can be run in the background or during off-hours thereby freeing the investigator to perform meaningful tasks. Unfortunately, many people have been spoiled by the advanced logic, which exists with Internet search engines. These type of search tools find near-misses, correct for spelling and other inconsistencies, and sort results based on various, priority-based algorithms. Forensic tools do not contain the same type of logic and require the user to perform different types of searches. Nearly all forensic tools perform two types of searches: literal searches and Grep/regular expression searches. In literal searches, also called keyword searches, an investigator searches for an exact string of characters in a forensic image or in log files. These types of searches can be very useful for unique and semi-unique strings. For instance, the string contract killer for hire may return a significant result, but the string password would return a plethora of meaningless files, especially on a Windows-based system. Additionally, literal searches have inherent limitations, which would provide missed or incomplete results. For instance, a search for the word diary would not return results for diaries as there is not an exact match for the string. To account for the limitation of literal searches, Grep search engines have been incorporated into many forensic tools. Grep, which comes from the UNIX-command for globally search a regular expression and print, has become synonymous with Regular Expression searching and now implies searching for a pattern of characters. Grep has since been ported over to a variety of operating systems and programs. Searching with Grep/regular expressions requires the examiner to use a particular syntax, when entering the term to be sought. This syntax may appear confusing to individuals, who do not use it regularly. Further complicating the syntax is when porting the search functionality into the different programs, i.e., the syntax may change slightly. A slight change, when a single character has precise meaning, can alter the results or make a search string nonfunctional with a particular tool. It is a good practice for an investigator to become familiar with widely adopted parameters and variations, which may have been incorporated into a particular tool. By refining a Grep string, a search can be made more efficient in terms of time and processing resources. Grep/regular expression searching can be performed to search for strings within forensic images and within data files, e.g., a directory of normalized log files. As with most search tools, there will be limitations to Grep/regular expression searching, such as encrypted files and non-text based files, e.g., pictures where words are part of the graphic and not in the file’s name or header. 131

Activity 16-1: Grep searching through Log Files In this activity you will perform Grep searching through log files using Astro Grep. Tools: Product: Manufacturer: Web site:

Astro Grep AstroComma, Inc. http://astrogrep.sourceforge.net

Instructions: 1. Download and install Astro Grep. 2. Download the compressed filed named “LogFiles.zip” from the Digital Forensics Workbook web site. Extract the contents and place the folder on your desktop. This folder contains a series of logs from a web server. 3. Launch Astro Grep. Upon launching the application, a window identical to the one shown in Figure 16-1 will appear.

Figure 16-1: Astro Grep window 4. On the left of the main window, change the setting in the drop down box labeled “Search Path” ! so it points to the “logfiles” directory on your desktop. 5. Astro Grep will perform searches across all files " within the target location. With the checkbox for “Search Subfolders” # checked, it is possible to search the contents of all nested folders. 6. Control lines allow search results to be displayed in context. In addition to getting the actual “hits” for the search, two rows before the “hit” and two rows after the “hit” are displayed. This may be 132

Digital Forensics Workbook

helpful if searching for activity that occurs immediately before and after a particular incident. For searching in this activity, we just want to display the results without additional data/rows. In Astro Grep change the number of control lines $ from 2 to 0. 7. Entering strings in the box labeled “Search Text” % will tell Astro Grep to search the contents (not the names) of all of files in the destination for the folder. 8. In Astro Grep enter the search text “ 301 ” without quotation marks. There should be a blank space before and a blank space after the number 301. (Note: 301 is the HTTP status code for permanent redirects.) 9. How many files contained the HTTP status code 301? One file & contained the code 301, as shown in Figure 16-2.

Figure 16-2: Astro Grep file results for status code 301 10. Click on the row that contained the file & with the positive search result. Upon clicking on the file, Astro Grep will display the number of rows within the file, which had the positive result. For this particular search with this particular data set, there was one file with one result on line 297 of the file '. This is shown in Figure 16-3.

133

Figure 16-3: Detailed search results 11. Conduct a search for log entries with the HTTP status code for temporary redirects, i.e., 302. (Be sure to include spaces before and after the number.) How many files contained status code 302 and how many records existed? Based on the Astro Grep results, two files ( contained the code 302, as shown in Figure 16-4. There were a total of 41 ) rows contained within the two files. Fifteen rows in the log file 11-20.out.txt contained positive findings and 26 rows were contained within 12-20.out.txt.

Figure 16-4: Search results for 302

134

Digital Forensics Workbook

12. Literal string searching can be extremely useful for analyzing log files, but the real power of Astro Grep and Grep-like tools is the ability to use regular expressions. Rather than look for an exact string, searches with regular expressions allow an examiner to search for patterns consisting of one or more characters, operators, or constructs. 13. There are a variety of special characters, which can be used to create regular expressions. Table 16-1 displays some expressions built on pipes |, parentheses (), brackets [], and wildcards ?. This table is a sample and is nowhere near exhaustive. Searching through the syntax of regular expressions can be extremely powerful. For more information see: https://msdn.microsoft.com/en-us/library/az24scfc.aspx. Example

Result

classif(y|ies)

classify or classifies

blue|green

blue or green

blue+green

bluegreen

reads?

read or reads

re[ea]d

reed or read

[Ss]mug

Smug or smug

Table 16-1: Sample regular expressions 14. Conduct a search for HTTP status code 301 and 302. What term what used? The term which was used was “ 30(1|2) ” without quotes, but with a space before the 3 and after the closing parenthesis “)”. The pipe | symbol serves as an “or.” This searched for the number 301 and 302 and returned 42 results. 15. The following regular expression, which is more complicated, can be used to search through the log files for a pattern of activity: \bUnauth\W+(?:\w+\W+){1,500}? 200 \b This regular express will search for the string Unauth within 1,500 spaces of the string 200. Note: The HTTP status code 200 indicates a successful connection. 16. GREP searches can be used to look for pattern of characters grouped together. For example, the following search string indicates to look for three consecutive numbers: ([0-9]\{3\}) 17. The following search string looks for any string of characters (i.e., lowercase letters, uppercase letters, and numbers) which are preceded with an @ and followed by a period: @[a-zA-Z0-9.-] 135

18. The following search string searches for credit card numbers of the pattern ####-####-####-####: #{1,4}-#{1,4}-#{1,4}-#{1,4} Additional Exercises: a.

Using the data files in logfiles.zip, conduct a Grep search to identify the number of times there was a successful connection to the web site. How many occurrences were there?

b. Using the data files in logfiles.zip, conduct a Grep search to identify the number of times users experienced a “File Not Found” error on the web site. How many occurrences were there? c.

Write a Grep expression to search for a phone number.

d. Write a Grep expression to search for a domain name. (Hint: Use the + symbol.) e.

Write a Grep expression to search for an e-mail address. (Hint: Use the + symbol.)

136

Digital Forensics Workbook

17 FILE CARVING Carving files by hand is as much an art as it is a science. If a Master File Table or File Allocation Table are corrupt, it may be necessary to carve manually a file from the allocated space. Additionally, remnants of files, which remain in unallocated space or slack space, may be retrieved through carving, because the contents may have enough information at face value to be of interest in a case. It may be possible to read the characters or perform a hash of the file fragment for comparison purposes. There are a number of techniques used in file carving. Most investigators, who perform file carving, look for file headers and/or footers, and then “carve” the blocks between these two boundaries with a hex editor. This technique relies upon information, such as that presented in Table 17-1, where file signatures are found at the start of a cluster and an end of file appears later, sometimes represented by an end of file marker, or data followed by sector/RAM slack. Some file signatures may be case sensitive. File Type Acrobat PDF Microsoft Office JPEG GIF Windows executable Windows Prefetch Text file

File signature 25 50 44 46 50 4B 03 04 14 00 06 00 FF D8 FF E0 or FF D8 FF E1 47 49 46 38 37 61 4D 5A 17 00 00 00 53 43 43 41 None

End of File Marker 25 25 45 4F 46 0A 50 4B FF D9 00 3B None None None

Table 17-1: File Signatures and End of File Markers The above approach to carving is useful, but it has limitations when headers or footers are not available or if a file is fragmented. Other types of carving techniques involved analysis to be performed on the data. Examples include block carving, where an algorithm analyzes the input on a block-by-block basis to determine if a block is part of a possible output file, and semantic carving, where blocks are analyzed based on linguistic analysis. In addition to carving for entire files, an examiner may perform carving of file fragments. Strings of characters may be of value. This is typically true of non-compressed, non-encrypted files. For example, text files, HTML files, and fragments from a swap/page file could be of interest. There are some tools available to assist examiners with file carving, e.g., carver recovery, scalpel, and bulk extractor; however, while these tools are very useful, an examiner should know they may not provide perfect results.

137

Activity 17-1: File Carving In this activity you will perform manual file carving using FTK Imager. Tools: Product: Manufacturer: Web site:

FTK Imager AccessData Group, Inc. http://accessdata.com/product-download

Instructions: 1. Download and install FTK Imager. 2. Download the file named “raw_image2.dd” from the Digital Forensics Workbook web site. Save the file to your desktop. 3. Launch FTK Imager. 4. From the main menu select “File” and the select “Add Evidence Item…” 5. In the “Select Source” dialog box select the radio button next to “Image File” and then click the “Next” button. 6. Browse to the file named “raw_image2.dd” and open the file. FTK Imager will display the file as shown in Figure 17-1.

Figure 17-1: FTK Imager with loaded image file 138

Digital Forensics Workbook

7. Based on the mounted image, the file system of the media was FAT32 ! and it appears that there are no files " stored on the system. In the Evidence Tree pane, click the tree item labeled “unallocated space” #. 8. In the File List pane, click on the first unallocated item in the list named 000003. The results will appear as shown in Figure 17-2.

Figure 17-2: Unallocated space as shown in FTK Imager 9. Upon clicking item 000003 $, the contents of the unallocated space is shown below in both hex and text views %. Based on the presence of this information, there is information contained in the unallocated space of the media. At the start of the cluster, there is a file signature &. 10. What file signature is presented and with what type of file is it associated? The file signature is FF D8 FF E1, which is the file signature for JPGs. 11. Based on Table 17-1, what is the end of file (EOF) marker for the end of this type of file? The EOF marker for a JPG is FF D9. 12. Note the offset associated with the start of the sector. In this example it is 0000000 '. 13. In the pane displaying the hexadecimal details, right-click on the start of the file signature, and 139

select “Find…” from the pop-up menu. This is shown in Figure 17-3.

Figure 17-3: Find option on pop-up menu 14. In the Find dialog box, as shown in Figure 17-4, enter the string for the EOF marker, i.e., FFD9 ! (do not add any blank spaces) and change the search type to Binary (hex) ". Click the “Find” button.

Figure 17-4: Find dialog box in FTK Imager 15. Figure 17-5 shows the results of the search. FTK Imager moved through the unallocated space to find the next instance of FFD9 #.

140

Digital Forensics Workbook

Figure 17-5: Search results for the hexadecimal string of FFD9 16. While this search indicates the next occurrence of FFD9 # in the allocated space after the start of the file, it may or may not be the actual EOF marker. There is a chance that these hexadecimal characters are included within the content of the file. To determine if this is the actual EOF marker, the following questions should be answered: a.

Is the EOF marker directly adjacent to the start of the next sector? FTK Imager displays the start of each sector with a dotted line $. In this example, the EOF marker is not adjacent to the start of the next sector.

b. Are the characters between FFD9 and the start of the next sector indicative of slack space or actual data? Most modern computers pad slack space between the end of a file and the start of the next sector with fixed characters. In this example, there appears to be a run of data %. c.

Does the start of the next cluster contain a file signature or unallocated space? There is no recognizable file signature at the start of the next sector, which occurs at the offset 0002000. There is data and it does not appear to be unallocated space.

Based on the answers to these questions, it is likely that this occurrence of FFD9 is not the actual EOF marker. 141

17. In the FTK Imager window search for the next occurrence of FFD9. This is done by pressing F3 or right-clicking in the detailed window in the area just past FFD9 and select “Find Next” from the pop-up menu. 18. The results of the “Find Next” are shown in Figure 17-6.

Figure 17-6: Results of “Find Next” search for the string FFD9 19. The next occurrence of FFD9 appears at offset 00400e2. To determine if this is the actual EOF marker, the following questions should be answered: a.

Is the EOF marker directly adjacent to the start of the next sector? In this example, the EOF marker is not adjacent to the start of the next sector '.

b. Are the characters between FFD9 and the start of the next cluster indicative of slack space or actual data? All of the space after FFD9 appears to be blank (. c.

Does the start of the next sector contain a file signature or unallocated space? 142

Digital Forensics Workbook

There is no recognizable file signature at the start of the next cluster, which occurs at the offset 0040200. There is no data in the next cluster. Based on the answers to these questions, it is likely that this occurrence of FFD9 is the actual EOF marker, assuming there is no file fragmentation. The file starts at 0000000 and ends at 00400e3. 20. In the FTK Imager window pane with the hexadecimal values click just after FFD9 (it is important to capture the end of the EOF marker) and drag upward in the window until you reach the file signature at the start of the file. This was identified at offset 0000000. 21. Right-click on the highlighted data and select “Save selection…” ) from the pop-up menu. This is shown in Figure 17-7.

Figure 17-7: Highlighted raw data in FTK Imager 22. Save the file to the data to the desktop with a name and the extension “.jpg” 23. Open the file. The results should be identical to what is shown in Figure 17-8.

143

Figure 17-8: Recovered file 24. In FTK Imager, search for the first occurrence of the hexadecimal string 25504446? 25. The results of the search appears in Figure 17-9.

Figure 17-9: Search results for the hexadecimal string 25504446 144

Digital Forensics Workbook

26. Does this string of characters appear at the start of a sector? Yes. It appears at offset 012a000 !. 27. What type file uses this signature? This signature is used with PDFs. 28. What is the EOF for this type of file? This file should end with the hexadecimal characters 25 25 45 4F 46 0A. 29. Using offset 012a000 as the starting point, search for the next occurrence of 2525454F460A. 30. At what offset does the hexadecimal string 2525454F460A occur? The hexadecimal string 2525454F460A occurs at offset 012a440. 31. Is this likely to be the actual EOF marker? No, this is likely not the actual EOF based on the surrounding characters and the proximity to the start of the next sector. 32. Search to the next occurrence of 2525454F460A. 33. What was the next offset at which the hexadecimal string 2525454F460A occurred? The string appeared at offset 013b00a ! as shown in Figure 17-10.

Figure 17-10: Search for EOF marker 25 25 45 4F 46 0A 145

34. Click on the character just to the left of the EOF marker. 35. Scroll up to the start of the file, which was at offset 012a000. 36. Hold the SHIFT key down and click on the first byte of the file’s signature. 37. Right-click in the highlighted area and choose “Save Selection…” from the pop-up menu. 38. Save the file with the extension “.pdf.” 39. Open the file. The file should appear as shown in Figure 17-11.

Figure 17-11: Recovered PDF Additional Exercises: Perform a file recovery for common file signatures. a.

How many files existed on the media?

b. What were the file types? c.

What were the files’ sizes?

146

Digital Forensics Workbook

Activity 17-2: File Carving with Carver Recovery In this activity you will perform automated file carving using Carver Recovery. Tools: Product: Manufacturer: Web site:

Carver Recovery Christopher Doman https://code.google.com/p/carver-recovery/

Instructions: 1. Download and install Carver Recovery by extracting the contents of the compressed file to a new folder. 2. Create a new folder on your desktop called “Carver-Output.” 3. Download the file named “raw_image2.dd” from the Digital Forensics Workbook web site. Save the file to your desktop. 4. Launch Carver Recovery by double-clicking on the file named “Carver Recovery.exe.” 5. In the textbox next to “Select Drive Image” enter the path to the file named “raw_image2.dd.” 6. In the textbox next to “Store Files In” manually enter the path to the “Carver-Output” directory on your desktop. This path is case sensitive. Click the “Set” button. 7. Click the button named “Search.” 8. The results of the automated file carving are show in Figure 17-12.

Figure 17-12: Carver Recovery output 9. Open the output path specified in “Store Files In:” and view the results. The results should appear identical to those shown in Figure 17-13. The file “audit.txt” is not one of the recovered files. 147

Figure 17-13: Output directory with recovered files 10. If there was only one GIF on the media, why did Carver Recovery return multiple GIFs? The GIF was an animated GIF with multiple layers.

148

Digital Forensics Workbook

Activity 17-3: Data Recovery with Bulk Extractor In this activity you will perform automated data recovery using Bulk Extractor. Tools: Product: Manufacturer: Web site:

Bulk Extractor Simson Garfinkel https://code.google.com/p/carver-recovery/

Instructions: 1. Download and install Bulk Extractor. 2. Create a new folder on your desktop called “Carver-Output.” 3. Download the file named “raw_image2.dd” from the Digital Forensics Workbook web site. Save the file to your desktop. 4. Launch Bulk Extractor. 5. From the main menu select “Tools” and then select “Run Bulk Extractor…” The “Run Bulk Extractor” dialog box will appear as shown in Figure 17-14.

Figure 17-14: Run Bulk Extractor dialog box 149

6. In the “Image File” dialog box ! browse to the downloaded file raw_image2.001. 7. Create a new folder on your desktop called “Output.” 8. In the “Output Feature Directory” " dialog box browse to the newly created “Output” directory. 9. Click the “Submit Run” button. 10. At the conclusion of the scan click the “Close” button in the “bulk_extractor Scan” window. 11. In the Bulk Extractor Viewer window, click the folder named “Output” in the Reports pane. 12. Click on the item named “winprefetch.txt.” 13. In the “Feature File” pane click on the Prefetch file listed. The results will appear as shown in Figure 17-15.

Figure 17-15: Bulk Extractor output 14. What was the name of the executable associated with the Prefetch file, which was run? SVCHOST.EXE 15. Click on the “url_services.txt” name in the Reports pane. 16. What if any URLs associated with malware appeared on the list? The domain poisonivy-rat.com appeared on the list.

150

Digital Forensics Workbook

Associated Exercises: Review the rest of the results from Bulk Extractor. d. How many Portable Executable (PE) headers appeared? Two PE headers were listed under winpe.txt. e.

How many executables should exist in the media? Given that there were two separate PE headers, there should be two executables.

f.

Review the list of entries associated with zip.txt. Based on the information listed in the “Feature File” pane, what files were found? Based on the list of items, it appears that an Excel workbook and Word document were on the media. There did not appear to be any other compressed files.

151

152

Digital Forensics Workbook

18 TIMESTAMPS AND TIMELINES Most forensic examiners are familiar with the three basic timestamps on nearly all file systems: MAC timestamps, i.e., the date and time a file is Modified, the date and time a file is last Accessed, and the date and time a file is Created. Reconstructing an event and building a meaningful timeline requires the use of many other timestamps in addition to those maintained by the file system. Relying solely on a file system’s timestamps may form an incomplete picture of events. When all applicable timestamps from a system are combined together, a much more powerful story of what happened can be told and it becomes much more difficult for the interpretation of observed facts to be refuted. For example, a computer user may dispute a claim regarding the creation date of a Microsoft Word document; however, when it is discovered there are over 25 different timestamps being generated during the creation of a Microsoft Office file, the story becomes difficult to challenge. Examples of where to look for timestamps include: • The file system, which shows when a file was created, accessed, and modified on media • A change journal, which shows when a file was created, accessed, modified, or renamed • System log files, which shows when a user logged on and off a system; when a system was booted/shutdown • Shortcuts, which shows when a target file was accessed • JumpLists, which shows when a file or executable was accessed • The Registry, which contains a list of Most Recently Used (MRU) items for many applications • Timestamps within user-created files, which can show when a file was created or updated • DHCP server logs, which shows when a computer connected to a network and received an IP address • DNS logs, which reveal when DNS queries were performed • Domain Controller logs, which contain details of when a user authenticated into a network • Firewall logs, which reveals when network traffic crossed the network’s boundary • IDS logs, which contains times of when certain traffic was seen traversing the network Performing a timeline analysis frequently requires an examiner gather relevant timestamps from a file system and/or external sources, e.g., a firewall or domain controller, convert all times into a consistent format, and lastly place all times in a standardized format, e.g., UTC or local time zone. This may be a challenging task when a system stores various timestamps in a variety of formats.

153

Activity 18-1: Combining Timestamps for a Timeline In this activity you will analyze a series of timestamps related to one event – the creation of a Microsoft Word document. Tools: Product: Manufacturer: Web site:

WinPrefetchView NirSoft http://www.nirsoft.net/utils/win_prefetch_view.html

Product: Manufacturer: Web site:

MiTec Windows File Analyzer Michal Mutl http://mitec.cz/wfa.html

Product: Manufacturer: Web site:

Windows compression utility Microsoft Corporation http://www.microsoft.com

Instructions: 1. Download and install WinPrefetchView. 2. Download and install MiTeC Windows File Analyzer. 3. Download the file named “timeline.zip” from Digital Forensics Workbook web site and extract the contents to the desktop. 4. The files contained within the timeline.zip were taken from the locations: C:\Users\Public\Hidden.docx C:\Users\Katie\AppData\Roaming\Microsoft\Office\Recent\Hidden.lnk C:\Users\Katie\AppData\Roaming\Microsoft\Windows\Recent\Hidden.lnk C:\Windows\Prefetch\WINWORD.EXE-157D232E.pf 5. Launch WinPrefetchView. 6. From the main menu select “Options,” select “Advanced Options,” and then point WinPrefetchView to the timeline directory on the desktop. Upon redirection, the results will appear as shown in Figure 18-1.

154

Digital Forensics Workbook

Figure 18-1: Analysis of relevant Prefetch file from C:\Windows\Prefetch with WinPrefetchView 7. When was Microsoft Word last run? Microsoft Word was last run on October 17, 2015 at 11:46:54 PM. 8. When was the Prefetch file created and when was it last modified? The Prefetch file for Microsoft Word was created on October 17, 2015 at 11:28:18 PM. The Prefetch file was last modified on October 17, 2015 at 11:47:08 PM. (Windows monitored the system for ten seconds after Word was launched and then committed the Prefetch file to disk. The modified timestamp is consistent with the timestamp of when Microsoft Word was last executed.) 9. Launch Windows File Analyzer. 10. From the main menu select “File,” then select “Analyze Shortcuts,” and direct the application to the Timeline directory on the desktop. Examine the Windows shortcut. 11. When prompted to select an operating system, choose “Windows 7.” The results are shown in Figure 18-2.

Figure 18-2: Analysis of relevant shortcuts from C:\Users\Katie\AppData\Roaming\Microsoft\Windows\Recent\ 155

12. According to the information in the shortcut, when was the file created and last modified? The shortcut contained within the Recent directory was not updated with a timestamp. 13. Analyze the shortcut from Microsoft Office with Windows File Analyzer. A copy of the results is shown in Figure 18-3.

Figure 18-3: Figure 18-2: Analysis of relevant shortcuts from C:\Users\Katie\AppData\Roaming\Microsoft\Office\Recent 14. When was the file named “Hidden.docx” created and last modified? The file was created on October 17, 2015 at 11:48:03 PM and last modified at 11:48:04 PM. 15. Rename the Microsoft Office file, which is currently named “Hidden.docx” to “Hidden.zip.” 16. Open the file, then open the folder named “docProps,” and then open the file named “core.xml.” The results are shown in Figure 18-4.

Figure 18-4: Meta data from Microsoft Word document. 17. When was the file created and modified? The file was created on October 18, 2015 at 03:46:00 Zulu and then modified two minutes later at 03:48:00 Zulu. 156

Digital Forensics Workbook

18. Based on the timestamps provided, identify a timeline of events. At 11:46:54 PM (ET) Microsoft Office was launched. At 11:46:03 PM (ET) the file named Hidden.docx was created. At 11:48:04 PM (ET) the file named Hidden.docx was saved in C:\Users\Public\

157

Activity 18-2: Examining Event Logs In this activity you will analyze a series of timestamps for events in a Windows Event log to show when a user logged on and off a Windows 7 system. Tools: Product: Manufacturer: Web site:

Event Log Viewer Microsoft Corporation http://www.microsoft.com

Instructions: 1. Download the file named “Events.zip” from the Digital Forensics Workbook web site. Extract the contents to your desktop. 2. These event logs came from a computer running Windows 7. 3. Open the event log named “Security.evtx” on a Windows-based computer using Event Log Viewer. 4. Scroll down to October 2, 2015. 5. What user account logged into the system on October 2, 2015 through an interactive session (i.e., Logon Type: 2)? The “admin” account logged in on October 2, 2015 at 3:15:50 AM ! as shown in Figure 18-5.

Figure 18-5: Admin login 158

Digital Forensics Workbook

6. Click the “Detailed” tab " to show the information in an alternate view. 7. Expand the plus (+) symbol next to System. The details will appear as shown in Figure 18-6.

Figure 18-6: Security Event Log details 8. In what format was the logon time stored? The time was stored in UTC. 9. Scroll up through the logs. 10. When did the user log off the system? The user logged off the system on October 2, 2015 at 11:02:14.217851300 UTC. Additional Exercises: Examine the System Event logs, i.e., system.evtx. a.

When did the system event logs start and stop on October 2, 2015?

b. Based on a comparison of these times against the Security log for the same day, which log runs longer? 159

Activity 18-3: Extracting Timestamps from Multiple Files with log2timeline In this activity you will extract timestamps from multiple files using log2timeline and then export the data into a file capable of being read by text readers, e.g., Notepad, or spreadsheet software, e.g., Microsoft Excel. Tools: Product: Manufacturer: Web site:

log2timeline Kristinn Gudjonsson https://github.com/log2timeline/plaso/wiki https://github.com/log2timeline/plaso/wiki/Windows-Packaged-Release

Product: Manufacturer: Web site:

Microsoft Visual C++ 2010 SP1 Redistributable Package (x64) Microsoft Corporation http://www.microsoft.com/en-us/download/details.aspx?id=13523

Note:

This set of installation instructions is for the 64-bit version of log2timeline. If the 32-bit version is needed, then the Microsoft Visual C++ 2008 Redistributable Package (x86) should be used.

Instructions: 1. Create a new directory on your desktop named input. 2. Download the file named “Events.zip” from the Digital Forensics Workbook web site. Extract the contents, i.e., Security.evtx and System.evtx, into the directory named input. 3. Download and install the Microsoft Visual C++ 2010 SP1 Redistributable Package (x64). 4. Download log2timeline from GitHub. (For this exercise, the following version was downloaded: plaso-1.3.0-win-amd64-vs2010.zip.) 5. Extract the contents from the compressed file and place them on your desktop. When extracting the files preserve the folder structure. All files will be contained in a folder named plaso. 6. Open a command prompt on the computer. 7. At the prompt type the following command and press the “Enter” key to navigate to the directory containing log2timeline: cd: C:\Users\username\Desktop\plaso\ 8. At the prompt type the following command to extract data from the contents of the input directory, i.e., the two event log files, and place the results inside a zip file named output.zip: log2timeline C:\Users\username\Desktop\output.zip C:\Users\username\Desktop\input\

9. Upon running log2timeline, the results in the command prompt will be displayed as shown in Figure18-7. 160

Digital Forensics Workbook

Figure 18-7: log2timeline processing results. 10. At the prompt type the following command and press the “Enter” key to inspect the compressed output file: pinfo C:\Users\username\Desktop\output.zip 11. The results of the command are shown in Figure 18-8.

Figure 18-8: Description of log2timeline output file. 12. Based on the details within the compressed file, log2timeline was run on October 23, 2015 at 3:51:41 UTC !, the contents of the directory named “input” were processed and the output was saved to 161

output.zip ", a variety of parsers were automatically applied during the extraction#, and there were 9877 items extracted from Windows Event Logs (winevtx) $. 13. At the prompt type the following command and press the “Enter” key to extract the items into a text file capable of being read by a text editor or imported into a spreadsheet such as a Microsoft Excel workbook: psort C:\Users\username\Desktop\output.zip > C:\Users\username\Desktop\rawoutput.csv

14. At the completion of the extraction, open the text file. The results will match what is shown in Figure 18-9.

Figure 18-9: Converted output 15. At the prompt, type the following command and press the “Enter” key to see a list of parameters for log2timeline: log2timeline -h 16. What parameter is used to explicitly set the timezone? The following would be used to set the timezone explicitly -z timezone Additional Exercises: 1. Download the compressed file named “Shortcuts.zip” from the Digital Forensics Workbook website and extract the contents to your desktop. 2. Run log2timeline against the contents of the directory. c.

How many timestamps were recovered?

162

Digital Forensics Workbook

19 RECOVERING PASSWORDS Identifying passwords on computers can be significant in forensic investigations. When it comes to placing a person behind the keyboard, it is significant to know whether a password existed on a user account, if the password was easily guessable, or if the password was a complex, long password. Additionally, people tend to re-use passwords, so learning one password can provide inside into other locked areas, e.g., encrypted files/partitions, e-mail accounts, web pages, and other guarded locations. Computer systems stopped storing passwords in plaintext quite some time ago. One-way hashes of passwords or encryption techniques are considered much more secure manners of keeping passwords. As some system owners/operators may be less than cooperative in supplying a password, it may be necessary for a forensic examiner to crack a password through a variety of techniques to obtain the necessary information.

163

Activity 19-1: Recovering Passwords In this activity you will crack passwords taken from a Windows-based computer using Ophcrack in Kali Linux. Tools: Product: Manufacturer: Web site:

Kali Linux Offensive Security https://www.kali.org

Instructions: 1. Launch the Kali VM and log into it. 2. Open the Iceweasel browser and go to: http://ophcrack.sourceforge.net/tables.php. The web page is shown in Figure 19-1.

Figure 19-1: Ophcrack tables 3. Download the following two tables: XP free small and XP free fast

164

 

Digital Forensics Workbook

4. On the main menu on the left-hand side of Kali, click on Files and navigate to the Downloads directory. This is shown in Figure 19-2.

Figure 19-2: Downloads directory

 

5. Right-click in the folder and create two new subfolders with the names: XP Free Small and XP Free Fast. 6. Double-click on the file named “tables_xp_free_fast.zip.” The contents will match what is shown in the Figure 19-3.

Figure 19-3: Rainbow tables in xp_free_fast.zip

165

 

7. Click the “Extract” button and save the contents in the XP Free Fast folder. 8. Double-click on the file named “tables_xp_free_small.zip.” 9. Click the “Extract” button and save the contents in the XP Free Small folder. 10. Close the window. 11. From the main menu in Kali, select “Applications,” then “05 – Password Attacks,” and then “ophcrack”. This is shown in Figure 19-4.

Figure 19-4: Kali menu with ophcrack 12. After clicking on ophcrack, a screen identical to the one shown in Figure 19-5 will appear.

Figure 19-5: Ophcrack main window 166

Digital Forensics Workbook

13. Make the downloaded tables accessible to ophcrack. Click on the “Tables” button. As you can see in Figure 19-6, no tables are loaded by default.

Figure 19-6: Opcrack tables 14. On the list click on “XP free fast” and then click the “Install” button. 15. When prompted, navigate to the Downloads directory and point ophcrack to the “XP free fast” directory and click the “Open” button. 16. On the list click on “XP free small” and then click the “Install” button. 17. When prompted, navigate to the Downloads directory and point ophcrack to the “XP free small” directory and click the “Open” button. 18. Upon pointing ophcrack to the rainbow tables, ophcrack will display the screen shown in Figure 19-7.

167

Figure 19-7: Ophcrack with tables 19. Click the “OK” button. 20. Click on the “Load” button on the main screen. This is shown in Figure 19-8. Note the four different ways of uploading files to be cracked: loading a single hash value, uploading a PWDUMP file, uploading a session file, or uploading an encrypted SAM file.

Figure 19-8: Ophcrack cracking options 168

Digital Forensics Workbook

21. Select “Single hash” from the pull-down menu !. 22. The “Load Single Hash” value dialog box will appear as shown in Figure 19-9. There are three different formats in which the hash can be uploaded, including: LM Hash, LM/NT Hash combination, and PWDUMP format, which includes the username, ID, LM Hash and NT Hash.

Figure 19-9: Single hash cracking options 23. Below is a list of dumped password hashes in PWDUMP format. Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:54f2810a212387bd2ed3651200011465:fbadfb1325c5a4d06130da2fa251f32c::: Jim:1003:828a5954e6da729caad3b435b51404ee:bc62ac0f8ea9dd1ad703c8b4f0a968c4::: Sparky:1004:72452d2682b2ba9c93e28745b8bf4ba6:ef3b88c0e908711adae65c0825ea7e30::: test_account:1005:921988ba001dc8e14a3b108f3fa6cb6d:e19ccf75ee54e06b06a5907af13cef42:::

24. Enter the value for Sparky into the textbox using the PWDUMP format. This is shown in Figure 19-10.

169

Figure 19-10: Data for cracking 25. Press the “OK” button. 26. Click the “Crack” button on the main menu. 27. At the end of the cracking, the results will be displayed, as shown in Figure 19-11.

Figure 19-11: Results of cracking 170

Digital Forensics Workbook

28. The results of the cracking attempt are displayed in the table at the top of Figure 19-11. 29. What is the password for the account named “Sparky”? The password for the account was: bookends. Additional Exercises: a.

What is the password for the account named Administrator?

b. What is the password for the account named Guest? c.

What is the password for the account named HelpAssistant?

d. What is the password for the account named Jim? e.

What is the password for the account named test_account?

171

172

Digital Forensics Workbook

20 MOUNTING IMAGES AS VIRTUAL MACHINES Dead box forensics, i.e., the process of collecting, preserving, acquiring, and analyzing the media from computers after the computer has been turned off, is at the core of digital forensics. From this static media a large number of artifacts can be collected and interpreted, including file system artifacts, operating system artifacts, and user-created files. While this proves extremely useful, sometimes it is not sufficient. At times it is necessary to examine a computer in a running state to gain a more complete understanding of what is taking place on the system. When a computer system is running, examiners can view applications and drivers loaded into memory, they can view active network connections, they can watch malware as it behaves on the compromised system, they can see the system in much the same way the user would see it, and they can interact with the system. The challenge with this analysis has been making the trade-off between preserving a hard drive in its frozen state or interact with it, which would change the data on it. With virtualization it is possible to have the best of both worlds: a forensically intact evidence file and a running system with which to interact. Computer virtualization has made it possible to examine and interact with forensically preserved systems in a running state. The forensic image is loaded as a disk for a virtualized machine (VM). In order to complete this process three functions must be performed: 1. The forensic image must be mountable and readable. 2. Virtualization software must read the forensic image as if it were a compatible, native disk. 3. Write commands sent to the forensic image must be cached so the virtualization software thinks it is writing to the disk, i.e., the forensic image, but the forensic image’s integrity is actually preserved. There are many tools available on the market, which will allow a forensic image, e.g., a raw/dd file or .E01 file, to be mounted as a physical drive and then cache write-commands sent to it. These include tools such as Arsenal Image Mounter, FTK Imager, MountImage Pro, and OSFMount. Other tools such as LiveView, Virtual Forensic Computing, and VirtualBox can be used to virtualize the system. When combined, these tools provide the forensic investigator with valuable insight into the operation of a seized system.

173

Activity: 20-1: Mounting a Forensic Image for use as a Virtual Machine In this activity you will go through the procedures to mount a forensic image as a Virtual Machine (VM). In order for the process to complete, the VM must have a working operating system on it. Tools: Product: Manufacturer: Web site:

FTK Imager AccessData Group, Inc. http://accessdata.com/product-download

Product: Manufacturer: Web site:

VirtualBox Oracle https://www.virtualbox.org/wiki/Downloads

Instructions: 17. Download and install FTK Imager. 18. Download and install VirtualBox. 19. Launch FTK Imager. 20. From the main menu select “File” and then “Image Mounting…” 21. In the “Mount Image to Drive” window, shown in Figure 20-1, browse to the forensic image to be mounted !, change the mount type to “Physical Only” ", change the mount method to “Block Device / Writable” #.

Figure 20-1: Mounting an image with FTK Imager 174

Digital Forensics Workbook

22. Click the “Mount” button $. 23. Note the physical drive designation in the “Mapped Images” table as this information will be needed in future steps. In this example it is PhysicalDrive2 &. This is shown in Figure 20-2.

Figure 20-2: Mapped Images with FTK Imager 24. Click the “Close” button. 25. Do not quit FTK Imager or the forensic image will be unmounted. 26. Go to the Windows start menu and then right-click on cmd.exe. Choose “Run As Administrator.” 27. At the prompt type the following command to navigate to the VirtualBox directory: cd: C:\Program Files\Oracle\VirtualBox\ 28. At the prompt type the following command to create a .vmdk (virtual machine disk) file based on the mounted physical drive: vboxmanage internalcommands createrawvmdk -filename C:\test.vmdk -rawdisk \\.\physicaldrive2

29. Go the Windows start menu and then right-click on VirtualBox. Choose “Run As Administrator.” The VirtualBox Manager will appear as shown in Figure 20-3.

175

Figure 20-3: VirtualBox Manager 30. Click the “New” button. 31. When prompted to create a new virtual machine, as shown in Figure 20-4, select the same type of virtual machine as contained within the forensic image. In this example, the forensic image was from a computer running the 64-bit version of Windows 7.

Figure 20-4: Virtual Machine selection 32. After entering a name, click the “Next” button. 33. Assign an appropriate amount of resources to the virtual machine and click the “Next” button. 176

Digital Forensics Workbook

34. When prompted to create a virtual the virtual disk, as shown in Figure 20-5, check the radio button next to “Use an existing virtual hard disk file” '.

Figure 20-5: Selecting the custom virtual disk for the virtual machine 35. Click the folder icon ( and then browse to the .vmdk file, which was created in step 12. 36. Click the “Create” button. 37. At the conclusion of the setup, VirtualBox should display a screen similar or identical to what is shown in Figure 20-6.

Figure 20-6: Configured VM from a mounted forensic image 38. Click the “Start” button to launch the virtual machine. 177

178

Digital Forensics Workbook

21 MEMORY ACQUISITION AND ANALYSIS Dead box analysis remains a staple of digital forensics; however, examiners are discovering that there is a wealth of information contained within volatile data. The contents of memory, i.e., RAM, are being sought during forensic examinations to describe more accurately the system being analyzed. As a result, it has been possible to recover information pertaining to running processes, passwords, decrypted versions of normally encrypted data, network connections, and so forth. Additionally, malware analysts are capable of extracting specific details related to infections by analyzing processes in memory. Some traditionalists feel that capturing the contents of memory from a running system is not forensically sound. They would much prefer connecting a drive to a write blocker and forensically acquiring media before moving forward. It is possible to acquire the contents of RAM, make as few changes to the host system as possible, and document the acquisition process so the procedure is forensically defensible. There is the option to mount a forensic image as a virtual machine. In these situations, the amount of information recovered can greatly enhance an investigation. There are several tools available in the industry to acquire the contents of RAM. Some tools will need to be installed, while others can operate as a stand-alone application. The choice of which to use will depend on the situation. In situations of performing malware analysis in a controlled environment, pre-installing applications may be more appropriate. In situations, such as incident response or in live forensic acquisitions, using a small, stand-alone application, where the contents of memory are offloaded to an external storage device or across a network to a waiting platform, will be advisable. Care should be taken to test the technique being used, the artifacts the technique leaves behind, and the reliability/reproducibility of the technique.

179

Activity 21-1: Acquisition of Memory and Recovery of File/Password from Memory In this activity you will capture the contents of memory from a Windows-based computer using FireEye’s (formerly Mandiant’s) Memoryze, and review the contents for sensitive data. (Note: Acquisitions of memory will require administrator/root privileges.) Tools: Product: Manufacturer: Web site: Note:

Memoryze FireEye https://www.fireeye.com/services/freeware/memoryze.html There have been reports of Memoryze interfering with Python and NumPy, if Memoryze is installed on the local hard drive where these tools reside.

Product: Manufacturer: Web site:

FTK Imager AccessData Group, Inc. http://accessdata.com/product-download

Instructions: 1. Download Memoryze from the FireEye web site and extract the contents of the zip file to the desktop of the computer. 2. Go the Windows start menu and then right-click on cmd.exe. Choose “Run As Administrator.” 3. At the prompt type following command to move to the Desktop where MemoryzeSetup3.0.msi is located: cd C:\Users\username\Desktop 4. Insert a USB storage device into the computer and note the drive letter assigned to it. (Note: The USB flash drive should have more storage capacity than the size of RAM in the computer.) 5. At the command prompt type the following to install Memoryze on the USB storage device: msiexec /a MemoryzeSetup3.0.msi /qb TARGETDIR=E: where E: represents the drive letter of the USB storage device connected to the computer. 6. Download the Microsoft Word Document from the Digital Forensic Workbook web site named: VeryOddNamedDocument.docx 7. Open the Microsoft Word document. The password to open the file is: veryverylongpassword 8. Quit Microsoft Word. 180

Digital Forensics Workbook

9. In the open command prompt type the following command and press the “Enter” key: E:\x64\memorydd.bat –output E:\ where E: represents the drive letter of the USB flash drive connected to the computer. 10. After entering the command, the contents of memory will be captured and stored on the external storage device in a folder named \Audits\computer_name\date_time\. The file with the contents of memory will have a name similar to memory.0d2f3a2c.img. The acquisition process may take some time to complete. 11. Download and install FTK Imager. 12. Launch FTK Imager. 13. From the main menu select “File” and then select “Add Evidence Item…” 14. In the “Select Source” window, click the radio button next to “Image File” and click the “Next >” button. 15. Identify the memory capture on the USB storage device and click the “Finish” button. The results will appear similar to what is shown in Figure 21-1.

Figure 21-1: Memory capture opened in FTK Imager 181

16. Right-click in the lower right corner of the bottom frame, where text appears. 17. Click “Find…” ! from the pop-up menu as shown in Figure 21-2.

Figure 21-2: Pop-up menu with “Find” command 18. In the “Find” window, as shown in Figure 21-3, enter the text “super secret,” which is a phrase contained within the Microsoft Word document that was previously open, and click the “Find” button.

Figure 21-3: Find command

182

Digital Forensics Workbook

19. Was the Microsoft Word document recoverable from memory? Yes, the Word document was recoverable. (Note: It may be necessary to search beyond the first occurrence of the phrase.) 20. Perform a text search for “veryvery” to look for the password for the Word document. 21. Was the password recoverable from memory? Yes. Additional Exercises: a.

Name at least three artifacts, which will appear on a target system, when a memory acquisition is performed, where the Memoryze application is run from a USB storage device and the acquisition’s output is on the USB storage device. (You can assume that Memoryze had been installed previously on the USB storage device and that it was not necessary to download and install the application on the target computer.)

183

Activity 21-2: Acquisition of Memory In this activity you will capture the contents of memory from a Windows-based computer using AccessData’s FTK Imager Lite. (Note: Acquisitions of memory will require administrator/root privileges.) Tools: Product: Manufacturer: Web site:

FTK Imager Lite AccessData Group, Inc. http://accessdata.com/product-download

Instructions: 1. Connect a USB storage device to the computer. 2. Download FTK Imager Lite from AccessData’s web site. 3. Extract the contents of the downloaded file to the USB storage device. No installation is needed. 4. Open Windows Explorer and navigate to FTK Imager.exe, which is located on the USB storage device. 5. Launch FTK Imager Lite. 6. From the main menu select “File” and then select “Capture Memory…” ! as shown in Figure 21-4.

Figure 21-4: Capture Memory option in FTK Imager 184

Digital Forensics Workbook

7. In the dialog box, as shown in Figure 21-5, enter a destination location on the USB storage device to save the memory dump and then click the “Capture Memory” button. (Note: It is possible to also capture the contents of the page file.)

Figure 21-5: Memory Capture dialog box 8. The status of the memory capture will be displayed as shown in Figure 21-6. At the conclusion of the memory acquisition, click the “Close” button.

Figure 21-6: Memory acquisition progress

185

Activity 21-3: Analysis of Memory File In this activity you will use Volatility to retrieve and analyze various data from a memory capture. Tools: Product: Manufacturer: Web site:

Volatility Volatility Foundation http://www.volatilityfoundation.org

Instructions: 1. Download the standalone Volatility executable from the Volatility Foundation web site and place the executable on your desktop. 2. Download the file memory.img from the Digital Forensics Workbook web site and place it on your desktop. 3. Open a command prompt on the computer. Type the following command and press the “Enter” key to change the present working directory to the desktop: cd C:\Users\username\Desktop 4. At the prompt type the following command and press the “Enter” key to display the operating system information of the computer from which the memory acquisition was performed: volatility-2.4.standalone.exe –f memory.img imageinfo 5. The results of the analysis will be displayed as shown in Figure 21-7.

Figure 21-7: Image information as retrieved from Volatility 6. Based on the data, what was the operating system of the computer from which the memory was acquired? The operating system was Windows. It was either Windows Server 2008 or Windows 7 !.

186

Digital Forensics Workbook

7. What are the suggested profiles to be used with the other Volatility scans? The suggested profiles are: Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, and Win2008RS2SP1x64 !. This information will be used to run other Volatility commands. 8. Based on the data, what type processor was on the original system, i.e., was it 32-bit or 64-bit? The processor was 64-bit processor ". 9. At the prompt, type the following command and press the “Enter” key to display the list of processes, which were running at the time of the acquisition: volatility-2.4.standalone.exe –-profile=Win7SP1x64 memory.img pslist

10. The results of the analysis appear in Figure 21-8. (It is possible to use the various suggested profiles in a trial-and-error technique. This particular computer was running Win7SP1x64.)

Figure 21-8: Process List from memory.img as discovered by Volatility 11. Based on the results, which browsers were running at the time of the acquisition? Both Microsoft Internet Explorer and Google Chrome were running !. 187

12. What was the Process ID for GoogleUpdate? GoogleUpdate.exe used Process ID 3300 ". 13. What application was using Process ID 3780? Adobe Acrobat Reader was using Process ID 3780 #. 14. What application was used to acquire the contents of memory? FTK Imager, using Process ID 3460, was used to acquire the contents of memory $. 15. At the prompt, type the following command and press the “Enter” key to display the list of DLLs, which were running at the time of the acquisition: volatility-2.4.standalone.exe –-profile=Win7SP1x64 memory.img dlllist > text.txt

The output was directed to a text file rather than to the console, because of the length of the list. 16. Open the text file named text.txt to see the results. The results of the analysis appear in Figure 21-9.

Figure 21-9: Dynamic Link Library files loaded into memory 188

Digital Forensics Workbook

17. How many Dynamic Link Library (.DLL) files were loaded into the memory for smss.exe using PID 300? smss.exe loads one .DLL file into memory: ntdl.dll %. 18. From what directory did AVG Anti-virus run? AVG runs from C:\Program Files (x86)\AVG\AV\ &. 19. To recover the DLLs from memory for Process ID 340, i.e., smss.exe, and store them on the USB storage device using E:\, type the following command at the prompt and press the “Enter” key: volatility-2.4.standalone.exe –-profile=Win7SP1x64 memory.img dlldump --pid=340 --dump-dir E:\

20. Malware scans and reverse engineering can be performed on the recovered DLL files. 21. To display the list of network connections in memory at the time of acquisition, enter the following command and press the “Enter” key: volatility-2.4.standalone.exe –-profile=Win7SP1x64 memory.img netscan

Note: For Windows XP and Windows 2003, connections should be used instead of netscan. 22. The results of the output will match what is shown in Figure 21-10.

Figure 21-10: Connections recorded in memory 189

23. To what external IP addresses was Google Chrome connected at the time of the acquisition? Google Chrome was used to visit several web servers: 23.62.6.66 ', 173.194.121.25 (, and 74.125.228.237 ) over TCP port 443 (HTTPS) and 184.168.27.205 * over TCP port 80 (HTTP). Additional Exercises: Download the files memory2.img and memory3.img from the Digital Forensics Workbook web site. b. Using Volatility, what is the suggested profile for memory2.img? c.

What are the process names for the following running Process IDs found in memory2.img: 1472 and 1888? What is the relationship between the two?

d. What are the names of the DLLs loaded by Process ID 3260? e.

Were there any Internet/network connections established in memory2.img? If so, what was the process name was calling them?

f.

What is the suggested profile for memory3.vmem?

g. What are the names of the processes associated with Process IDs 2044 and 936 in memory3.vmem? h. Were there any Internet/network connections established in memory3.vmem? If so, what were they? i.

What is the suggested profile for memory4.img?

j.

Review the list of running processes in memory4.img. Which process is associated with wireless scanning software? (Note: You may need to conduct some Internet searches to assist with finding the answer.)

190

Digital Forensics Workbook

22 NETWORK TRAFFIC Analyzing network traffic can be incredibly valuable in forensic investigations, as it is possible to identify source and destination IP addresses for network traffic along with payloads. This can be especially useful in situations, where media, e.g., a server’s hard drive, does not contain sufficient levels of detail. If data on a drive were deleted and/or overwritten, it could be fairly difficult for a forensic examiner to perform event reconstruction; however, a network packet capture would contain evidence of downloads or data exilftration. Records of network activity may take the form of logs from a firewall or an intrusion detection system (IDS), but in very fortunate cases it may include full network packet captures. The fundamental difference between the two is that the former often contains just header information and the latter will contain payloads. Network packet captures are incredibly valuable; however, they have three fundamental concerns: 1. Depending on the size of the network there may be a great volume of data to capture and storing this much data tends to be expensive. Imagine analyzing network data, when college basketball tournaments, i.e., March Madness, are streamed across networks, or during Cyber Monday, when there are hundreds of thousands of e-commerce transactions occurring every second. 2. Recovering specific artifacts from a sea of network data is akin to searching for a needle in a haystack. 3. Encrypted tunnels may hide payloads and only packet header information is available. Wireshark, while not the only tool, is a very popular network packet capture tool that can be used to perform analysis, but when it comes to larger datasets, it is often useful to use an analytical and data visualization tool such as Splunk.

191

Activity 22-1: Network Traffic Identification: PING In this activity you will use Wireshark to review the results of a previously recorded Ping, filter the results, and export results to a new file. Tools: Product: Manufacturer: Web site:

Wireshark Wireshark Foundation https://www.wireshark.org

Instructions: 1. Download and install Wireshark and its dependencies. 2. Download the following packet capture from the Digital Forensics Workbook web site: ping.pcapng. 3. Launch Wireshark. You will see a screen identical to the one shown in Figure 22-1.

Figure 22-1: Wireshark home screen

192

Digital Forensics Workbook

4. From the main menu select “File,” select “Open,” and then open the file named ping.pcapng. The packet will be opened and displayed as shown in Figure 22-2. Clicking on a packet in the Packet List Pane will display the details for that packet in the Packet Details Pane and Packet Bytes Pane.

Figure 22-2: Network packet of a Ping between two workstations 5. Based on the Packet List Pane, how many packets were sent back and fourth? Eight packets were sent back and fourth !. (Four were requests and four were replies. By default, Ping on Windows will send four requests. Ping on Mac OS and Linux will send requests continuously until stopped.) 6. What was the source of the Pings and what was the target of them? The source of the Pings was the host with the IP address of 192.168.17.133 " and the target was 192.168.17.134 #. (In order to obtain this information, a packet with an “Echo (ping) request” must be reviewed.) 7. What protocol is used with Ping? ICMP (Internet Control Message Protocol) $ is used with Ping.

193

8. What are the sequence numbers associated with the Pings? There are four sequence numbers associated with each pair (request/reply). They are: 33, 34, 35, and 36 %. (Wireshark presents the numbers in both Little Endian (LE) and Big Endian (BE) formats. 9. How many hops can the Ping pass before it is dropped by a router? Pings can travel through 128 hops/routers before they are dropped &. 10. How long did it take for the first reply/request to traverse the network for the first PING? It took 0.000673 seconds for the first reply/request to reach the target and return '. 11. In the textbox next to the word “Filter” enter the following text to filter the results of a particular source IP address: ip.src==192.168.17.133 12. After entering the text, press the “Apply” button. The results will be identical to those shown in Figure 22-3.

Figure 22-3: Results filtered on the source IP address of 192.168.17.133 13. How many packets are displayed and what are their relative numbers? Four packets are displayed. They have the relative numbers of 1, 3, 5, and 7 !. 14. Based on the filter, do the displayed packets show requests or replies? The displayed packets show only the requests " and not the replies. 194

Digital Forensics Workbook

15. In the textbox next to the word “Filter” enter the following text to filter the results of a particular source IP address: ip.dst==192.168.17.133 16. After entering the text, press the “Apply” button. The results will be identical to those shown in Figure 22-4.

Figure 22-4: Results filtered on the destination IP address of 192.168.17.133 17. How many packets are displayed and what are their relative numbers? Four packets are displayed. They have the relative numbers of 2, 4, 6, and 8 #. 18. Based on the filter, do the displayed packets show requests or replies? The displayed packets show only the replies $ and not the requests.

195

19. To save these packets in their own packet capture file, select the “File” menu and then select “Export Specified Packets” from the pull-down menu. The “Wireshark Export Specified Packets” dialog box will appear as shown in Figure 22-5.

Figure 22-5: Wireshark Export Specified Packets 20. Enter a name for the file. Ensure the radio button next to “Displayed” is checked. Click the “Save” button. (Note: If you wanted to specify the packets to be saved by range of packets, the “Range” option can be used where packets can be specified by an individual number, e.g., 3, as a consecutive range with a dash, e.g., 4-7, or as a split group using commas as a separator, e.g., 1,3,7. 21. After saving the packet capture, click the “Clear” button next to the filter to remove the filter. Additional Exercises: 1. Launch Wireshark. 2. Open the file named ping.pcapng 3. Apply the following filter to the packet capture: ip.addr == 192.168.17.134 a.

What results were displayed after applying the filter?

196

Digital Forensics Workbook

Activity 22-2: Network Traffic Identification: DNS Query In this activity you will use Wireshark to review the results of a previously recorded DNS query. Later activities will involve performing packet captures and look at larger packet samples for particular artifacts. Tools: Product: Manufacturer: Web site:

Wireshark Wireshark Foundation https://www.wireshark.org

Instructions: 1. Download the following packet capture from the Digital Forensics Workbook web site: DNS-queryresponse.pcapng. 2. Launch Wireshark. 3. Open the network packet capture named “DNS-query-response.pcapng.” The packet capture will appear in Wireshark as shown in Figure 22-6.

Figure 22-6: DNS-query-response packet capture 197

4. How many packets are involved in a DNS query? Two packets are transmitted: one packet for the query and the other for the response !. 5. How long did it take to get a response for the DNS query? It took 0.1844 seconds for a response to be returned. DNS has very little overhead and no error checking. 6. What is the IP address of the host, which submitted the DNS query? The host with the IP address 192.168.0.35 submitted the request ". 7. What is the IP address of the DNS server? The IP address of the DNS server is 209.18.47.61 #. 8. Based on the information contained in the Packet Details Pane, what protocol is used for DNS queries and what is the destination port? DNS queries use the User Datagram Protocol and send traffic to UDP Port 53 $. 9. What domain name was sought to be resolved? The DNS query was for centralops.net. 10. To what IP address did the domain name resolve? The domain named centralops.net resolved to the IP address 208.101.16.74

198

Digital Forensics Workbook

Activity 22-3: Network Traffic Identification: TCP Three-way Handshake In this activity you will use Wireshark to review the results of a previously recorded TCP Three-way Handshake. Later activities will involve performing packet captures and look at larger packet samples for particular artifacts. Tools: Product: Manufacturer: Web site:

Wireshark Wireshark Foundation https://www.wireshark.org

Instructions: 1. Download the following packet capture from the Digital Forensics Workbook web site: “ThreewayHandshake-Connection.pcapng.” 2. Launch Wireshark. 3. Open the file named “Threeway-Handshake-Connection.pcapng.” The results of the packet capture will appear as shown in Figure 22-7.

Figure 22-7: Packet capture with a TCP Three-way Handshake

199

4. How long did it take for the three packets in the TCP Three-way Handshake to go back and forth between the source and destination? It took 0.06477 seconds for the three seconds to be processed !. 5. What is the IP address of the host that initiated the TCP Three-way Handshake? What is the IP address of the host, which is responding to the Handshake? The IP address of the host, which initiated the Handshake, was 192.168.0.35 ". The IP address of the host responding to the request was 173.192.121.250 #. 6. What was the likely type of server to which the connection was being established? Based on the destination port appearing in the Packet Details Pane, TCP port 80 $, the server is likely a webserver (HTTP). 7. Based on the information in the Packet Details Pane, what flag is set in the first packet of the TTCP Three-way Handshake? The SYN flag is set to 1 %. 8. Based on the information in the Packet List Pane, what are the flags for the second and third packets in the Handshake? The flags for the second packet is SYN and ACK. The flag in the third packet is ACK.

200

Digital Forensics Workbook

Activity 22-4: Network Traffic Analysis: Host Footprinting and File Extractions In this activity you will use Wireshark to review the results of a previously recorded connection between a host and a web server. Tools: Product: Manufacturer: Web site:

Wireshark Wireshark Foundation https://www.wireshark.org

Instructions: 1. Download the following packet capture from the Digital Forensics Workbook web site: “WebsiteVisit.pcapng.” 2. Launch Wireshark. 3. Open the file named “Website-Visit.pcapng.” The results of the packet capture appear in Figure 22-8.

Figure 22-8: Packet capture of a web site visit

201

4. What is the IP address of the visited web site? The IP address of the web site is 184.168.27.206 !. 5. On what port is the web server listening? The server is listening and responding on TCP port 80 ". 6. In the Packet List Pane, right-click on the first packet and from the pull-down menu select “Follow TCP Stream” # as shown in Figure 22-9.

Figure 22-9: Pop-up menu in Packet List Pane

202

Digital Forensics Workbook

7. The results of the “Follow TCP Stream” are shown in Figure 22-10.

Figure 22-10: TCP Stream 8. What is the name of the web site, which was visited? The web site used the name www.tonystenniscamp.com $. 9. Was the connection to the web site successful from the server’s point of view? The web site returned the HTTP status of 200 %, which means the connection was successful. 10. What kind of web platform is being used to host the server? The web site is hosted on a Microsoft IIS, version 7.0, platform &. 11. When was this visited web page last updated by the web author/provider? The web page was last modified on September 5, 2015 at 12:19:52 GMT '. 12. When was this particular web page accessed? The web page was accessed on October 13, 2015 at 16:43:30 GMT (. This time can be used to synchronize the times provided by Wireshark, which lists packets with relative timestamps. 13. Click the “Close” button. 14. Click the “Clear” button to remove the filter, which was automatically applied. 15. In Wireshark’s Packet List Pane, click on packet 7, which has the protocol of HTTP.

203

16. To recover artifacts from the network packet capture, go to the main menu, select “File,” select “Export objects,” and then select “HTTP” ). This is shown in Figure 22-11.

Figure 22-11: Export Objects – HTTP menu 17. After selecting “HTTP,” the list of exportable objects will be presented, as shown in Figure 22-12. Click an object to recover and click the “Save As” button.

Figure 22-12: Exportable HTTP objects 204

Digital Forensics Workbook

Activity 22-5: Network Traffic: Packet Capture In this activity you will use Wireshark to conduct a packet capture. You will review the traffic for various artifacts. Tools: Product: Manufacturer: Web site:

Wireshark Wireshark Foundation https://www.wireshark.org

Instructions: 1. Launch Wireshark. The home screen, which is shown in Figure 22-13, will appear.

Figure 22-13: Wireshark menu 2. To start an immediate network packet capture, click the “Local Area Connection” ! in the list of interfaces and then click the “Start” button ". (On Mac OS, you will be prompted to enter the administrator’s password as Wireshark needs to use administrator’s privileges to access the network interface card in promiscuous mode.) 205

3. In the network packet capture you may notice a lot of “noise” being captured. This may appear in the form ARP requests, network broadcasts, anti-virus software looking for updates, operating systems beaconing out to vendors, etc.,. 4. Click the “Stop” button # to stop the network packet capture. 5. On the main menu, select “Capture” and then select “Options.” The Wireshark Capture Options dialog box will appear as shown in Figure 22-14.

Figure 22-14: Wireshark Capture Options dialog box 6. Using the dialog box, Wireshark can be configured to capture data using filters, thereby weeding out noise at the time of capture. (Note: Some examiners prefer to capture all possible data and apply filters to the file after the fact. This ensures that nothing is missed; however, it may cause a significant administrative burden if the packet capture is going to run for long periods of time and consume significant storage.) Ensure the network interface $ is selected. 7. Add the following “host” filter to restrict the packet capture going to or from a particular IP address. In this example, we will focus on traffic going to the web site centralops.net from the computer. host 46.255.120.01 % 8. In the “File” textbox add a path and name for the packet capture. In this example the packet capture will be written to the file “packet_capture” in C:\Users\admin\Desktop\ &. 9. Wireshark has the ability to split packet captures across multiple files. This can be beneficial for transferring files or storing them on CD/DVD. Additionally, if Wireshark is interrupted or crashes in the middle of a capture, the file capture file may become corrupt. Splitting files can help address this concern. In this example, 640MB ' was chosen so the files would fit on a CD.

206

Digital Forensics Workbook

10. Click the “Start” button to start the capture process. 11. Open a browser on the same computer running Wireshark and browse to http://www.akc.org. 12. After the web page loads, click the stop button on Wireshark to stop the network packet capture. 13. What type of web server is used to host this web site? The web site is hosted on an Apache server (Apache 2.4.6) with CentOS OpenSSL as shown in Figure 22-15.

Figure 22-15: Web server footprint 14. Based on the recovered HTTP objects, what kind of scripts are run on the site? The web site uses Cascading Style Sheets (.css) with JavaScripts (.js) as shown in Figure 22-16.

Figure 22-16: HTTP objects for www.akc.org 207

15. When retrieving data from web traffic it is sometimes helpful to compare the files recovered from the traffic against cached copies of the web site. After recovering the domain name, go to the web site www.viewcached.com. The homepage for the site is shown in Figure 22-17.

Figure 22-17: ViewCached.com web site 16. In the textbox next to “URL” enter the domain http://www.akc.org and click the “Google” button. 17. When the page loads, there will be information displayed at the top of the screen, as shown in Figure 22-18. Based on the information provided, the page was cached by Google on October 16 at 1:25:34 GMT. A cached version of the page was loaded and the actual site was not visited.

Figure 22-18: Web page cached by Google 18. Going back to ViewCached.com and clicking the “Bing” button revealed the page shown in Figure 22-19.

Figure 22-19: Bing search results with cache menu 208

Digital Forensics Workbook

19. Clicking on the pull-down menu next to the domain name revealed the “cached” feature in Bing. The results of the cached page appear in Figure 22-20.

Figure 22-20: Web page cached by Bing 20. Notice that the two search engines, Bing and Google, cached the web page at different times. Using a third-party tool, it would be possible to scrape the cached versions of the site and compare them to each other and the recovered artifacts. 21. Other sites, which could potentially contain archived copies of web sites, include www.archive.org, www.archive-it.org, and www.webcitation.org. Additional Exercises: 1. Download the file named “QuickScan.pcapng” from the Digital Forensics Workbook web site and open it in Wireshark. (Ensure all filters are cleared.) The file is a packet capture of a “Quick Scan” performed by nmap. (The specific scan used was nmap -T4 -F -192.168.17.134). b. How long did it take for the scan to complete? c.

What occurred in packets 16-18? What port is involved?

d. Based on packets 71 to 140, what type of flags are typically seen in network traffic involving this type of scan? 2. Download the file named “unknown.pcapng” from the Digital Forensics Workbook web site and open in Wireshark. (Ensure that all filters are cleared.) e.

What is taking place in this network packet capture?

209

210

Digital Forensics Workbook

23 MOBILE APPS AND DATA With over 6.8 billion mobile devices in use, the odds are fairly high that a forensic examiner will encounter a mobile device, i.e., a phone or tablet, during an investigation. There are many mobile device forensic tools on the market capable of performing logical data extractions, where the contents of native data stores, e.g., address books, call logs, text messages, pictures, and videos are recovered and parsed automatically; however, as mobile devices become more powerful and include a diverse number of apps, it may be necessary to perform a file system or physical analysis. After these acquisitions are performed, the apps, databases, and data files, which are not automatically captured and parsed, can be examined. Mobile apps often store data in SQLite databases or flat files, and in the case of iPhones .plist files are also used. Applications on non-rooted or non-jailbroken devices are sandboxed and contained within their own individual directories. Recovering and analyzing these files can identify app-to-app communication, including activity from malware, as well as activity performed by the user. When conducting examinations of Android applications, there are three primary areas upon which to focus: 1. /Root/system/packages.xml, which contains a list of applications and associated permissions 2. AndroidManifest.xml for the application, which contains the activities, services, broadcast receivers, and content providers that the application is composed of. This file names the classes that implement each of the components and publishes their capabilities (for example, which intent messages the app can handle). These declarations let the Android system know what the components are and under what conditions they can be launched. 3. The application, itself (.apk) When analyzing an iPhone’s apps, the following areas should be examined: 1. private\var\root\Library\Caches\Backup\Manifest.plist, which contains a list of all apps on the device. 2. wireless\Databases\DataUsage.db, which is a database containing tables with the app’s name (bundle name), processes associated to apps, timestamps of usage, and data (in/out) via the WAN. 3. com.\Cache.db, which is a database containing data received from an outside source, e.g., server or Internet.

211

Activity 23-1: Examination of Packages.xml from an Android phone In this activity you will analyze the packages.xml file from a phone to identify apps and their associated permissions. Tools: Product: Manufacturer: Web site:

Internet Browser various various

Instructions: 1. Download the file named “packages.xml.zip” from the Digital Forensics Workbook web site. Extract the file packages.xml from the compressed file and place it on the desktop. 2. Open the file in a browser capable of displaying XML. Figure 23-1 shows the top portion of the XML file.

Figure 23-1: packages.xml file from a Samsung smart phone 212

Digital Forensics Workbook

3. Scroll down through the packages.xml file to the section containing the permissions for com.surpax.ledflashlight.panel. This is shown in Figure 23-2.

Figure 23-2: Permissions for com.surpax.ledflashlight.panel 4. While it is normal for a flashlight program to have access to the camera ! for the purpose of accessing the flash, one might question whether it is normal for a flashlight program to have access to the Internet " and be able to read # and write $ to external storage media. Additional Exercises: a.

Examine the packages.xml file. What are the permissions associated with com.roidapp.photogrid?

b. Examine the packages.xml file. What permissions would an app have if it accessed com.google.android.calendar.uid.shared (user ID 10055)?

213

Activity 23-2: Examination of a SQLite database from a Mobile App In this activity you will use DB Browser for SQLite to analyze a SQLite database retrieved from BBM (BlackBerry Messenger) on an Android phone.. Tools: Product: Manufacturer: Web site:

DB Browser for SQLite Mauricio Piacentini, René Peinthor and Martin Kleusberg http://sqlitebrowser.org

Instructions: 1. Download and install DB Browser for SQLite. 2. Download the compressed file named “SQLiteDB.zip” from the Digital Forensics Workbook web site. Extract the database from the compressed file and place it on your desktop. 3. Launch DB Browser for SQLite. 4. From the main menu of DB Browser for SQLite, select “File” and then select “Open Database.” Navigate to master.db. The file will be displayed as shown in Figure 23-3.

Figure 23-3: List of Tables within master.db 5. Upon opening the file, the tables and their schema will be listed !. Click the tab named “Browse Data” " to view the data contained within the tables.

214

Digital Forensics Workbook

6. Upon clicking the “Browse Data” tab, the window will change to what is shown in Figure 23-4.

Figure 23-4: Browse Data tab for master.db in DB Browser for SQLite 7. Click on the Table pull-down menu # to see the list of tables in the SQLite database. 8. Go down to the table named “File Transfers.” How many files were transferred, what were there names to whom were they sent? In the “File Transfer” table, there are records of two file transfers $ as shown in Figure 23-5. The first file, named 1406832981515.jpg, which was a picture in phone’s camera store, was sent to User ID 10. The second file, named 7ef66178,jpg, was received from the person with user ID 10. (One of the other tables identifies User ID 10.)

Figure 23-5: File Transfer table within Master.db 215

Additional Exercises: c.

Examine the master.db database, specifically the Profile table. What is the BlackBerry PIN for this user?

d. Examine the master.db database, specifically the Text Messages table. When was the text message “Round 3 reply” sent? e.

Examine the master.db database, specifically the Users table. What is the name associated with User ID 10?

216

Digital Forensics Workbook

Activity 23-3: Examination of a .plist file from an iOS device In this activity you will pList Editor Pro to examine the contents of a .plist retrieved from an iOS device during a logical acquisition. Tools: Product: Manufacturer: Web site:

pList Editor Pro VOWSoft, Ltd. http://www.icopybot.com/plist-editor.htm

Instructions: 1. Download and install pList Editor Pro. 2. Download the file named “plist.zip” from the Digital Forensics Workbook web site and extract the contents to your desktop. 3. Launch pList Editor Pro. 4. From the main menu select “File” and then select “Open.” Browse to the com.apple.wifi.plist file on your desktop. 5. Upon opening the file, the results will appear as shown in Figure 23-6.

Figure 23-6: Contents of com.apple.wifi.plist 217

6. Based on a review of the file’s contents, what is contained within this plist file? This file contains a list of all of the wireless access points to which the iOS device connected. 7. Search through the plist file and identify the last time the iOS device connected to the wireless access point associated with Starbucks or Barnes and Noble, i.e., attwifi? The iOS device last connected to attwifi on August 6, 2014 at 12:53:25 Zulu. Additional Exercises: f.

To what network did the iOS device connect on September 14, 2014 at 14:52 Zulu?

g. What type of encryption, if any, is used on the network using the SSID of private?

218

Digital Forensics Workbook

Activity 23-4: Examination of a Suspicious .apk from an Android-based device In this activity you will use dex2jar and jd-gui to analyze a classes.dex file from a malicious .apk. Tools: Product: Manufacturer: Web site:

dex2jar Bob Pan https://github.com/pxb1988/dex2jar

Product: Manufacturer: Web site:

Java Decompiler-GUI (jd-gui) Emmanuel Dupuy http://jd.benow.ca

Warning: In this exercise you will encounter malicious files. While the samples chosen for these exercises are somewhat old, which will certainly be detected by current anti-virus software, care should be taken not to double-click on the files or compromise the integrity of the forensic workstation. Instructions: 1. Disable your anti-virus software. 2. Download dex2jar and extract the contents of the file to your desktop. 3. Download and install Java Decompiler-GUI (jd-gui). 4. Download the file named “container.apk.zip” from the Digital Forensics Workbook web site. 5. Extract the file named com.unknown.apk file from the file named container.apk.zip. 6. Change the extension of com.unknown.apk from .apk to .zip. 7. Extract the classes.dex file from com.unknown.zip file and place classes.dex in the dex2jar directory. 8. Open a command prompt. 9. Navigate to the dex2jar directory. 10. At the prompt type the following command to convert the file named “classes.dex” to a .jar file with the name “output-file.jar”: d2j-dex2jar classes.dex -o output-file.jar 11. Launch jd-gui.

219

12. From within jd-gui select “File: and then select “Open” and browse to output-file.jar. The file will appear as shown in Figure 23-7.

Figure 23-7: .jar version of classes.dex 13. Based on a review of the app, what functionality is taking place near sixth major section of code !? The app is sending SMSs. 14. Use HashCalc to determine the MD5 hash of the .apk file. 15. Go to VirusTotal (http://www.virustotal.com). 16. Click the “Search” tab (not the “Scan It” button). 17. Paste the MD5 hash of the .apk file into the text box and click the “Search It” button. 18. What results were returned? Over half of the anti-virus companies identified this as a Trojan or SMS-sender. 19. Hash the .apk file. Re-enable anti-virus on your workstation. 220

24 ANSWERS Chapter 4: File System Identification a.

For drive2.E01, what is: a. The file system? Ext4 b. On what operating system is this file system likely used? Linux c. The volume ID or serial number? e018ba1739a539b4a941a806e678b8a2 d. The volume label or name? It is blank. e. The sector or inode size? 256 bytes f. The cluster or block size? 4,096 bytes

b.

For drive3.E01, what is: a. The file system? It cannot be determined with this tool, it is actually HFS+. b. On what operating system is this file system likely used? It cannot be determined with this tool, it is Mac OS. c. The volume ID or serial number? It cannot be determined with this tool. d. The volume label or name? It cannot be determined with this tool. e. The sector or inode size? It cannot be determined with this tool. f. The cluster or block size? It cannot be determined with this tool.

c.

For drive4.E01, what is: a. The file system? NTFS b. On what operating system is this file system likely used? Windows XP or greater c. The volume ID or serial number? None 221

d. The volume label or name? None e. The sector size? 512 bytes f. The cluster size? 4,096 bytes d.

For drive5.E01, what is: a. The file system? exFAT b. On what operating system is this file system likely used? This is used on external storage devices due to its compatibility. c. The volume ID or serial number? 9cc1-6dbd d. The volume label or name? None e. The sector size? 512 bytes f. The cluster size? 32,768 bytes

Chapter 5: Mounted Image Files a.

Mount and scan drive1.E01. Was any malware found on the image? drive1.E01 contained no malware.

b.

Mount and scan drive4.01. Was any malware found on the image? drive4.E01 contained no malware.

c.

Mount and scan drive7.E01. Was any malware found on the image? The forensic image drive7.E01 contained a malicious file: C:\Users\mnorton\My Documents\java.exe (The file is a malicious Trojan, which targets Linux-based systems.)

d.

e.

Mount and scan drive9.E01. Was any malware found on the image? The forensic image drive9.E01 contained a malicious file: C:\Users\All Users\util.exe (The file is a malicious Trojan/rootkit, which targets Linux-based systems.) Malware using the name “reallybadstuff” has been seen on various computers. Based on the review of the Autoruns locations, does it exist on this computer? If so, where and how is it persistent? Based on the information recovered from Autoruns scanning, the following Registry key exists: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hahaha. The Registry key calls the file “c:\users\kyle fitzwater\reallybadstuff.exe.” Based on the “Image Path” column, the file still exists within the forensic image.

222

Digital Forensics Workbook

f.

What items are listed under HKEY_Current_User\SOFTWARE\Microsoft\CurrentVersion\Run? One Registry entry is listed: Sidebar, but the file does not exist within the forensic image.

g.

How many Services are set to launch and run through: HKEY_LOCAL_Machine\System\CurrentControlSet\Services? Seventy items are listed within this key.

h.

How many Browser Helper Objects (BHOs) exist on this computer? There is one BHO listed in the Autorun scan: CIESpeechBHO Class

Chapter 6: Recovering Files from Forensic Images a.

How many Microsoft Word documents were recovered? Six Microsoft Word documents were in the My Documents directory of the jsmith profile.

b.

What were the names and sizes of the Microsoft Word documents? The files names and sizes were: Blank.docx – 128,259 bytes DesignSpecs.docx – 117,474 bytes File.docx – 46,107 bytes Proposal.docx – 173,683 bytes Resume.docx – 131,628 bytes

c.

How many executables were recovered? Two executable files were in the Downloads directory of the jsmith profile.

d.

What were the names and sizes of the executables? The file names and sizes were: getmac.exe – 89,600 bytes gpresult.exe – 166,912 bytes

e.

How many Microsoft Excel spreadsheets were recovered? Four Microsoft Excel spreadsheets were on the Desktop of the jsmith profile.

f.

What were the names and sizes of the Excel spreadsheets? The file names and sizes were: Forecasts.xlsx – 36,888 bytes Salaries.xlsx – 38,303 bytes Workbook1.xlsx – 26,526 bytes Workbook2.xlsx – 27,228 bytes

223

Chapter 7: Registry Artifacts a.

What was the IP address assigned to the computer? The computer’s wireless adapter used the IP address 192.168.0.16.

b.

How many USB storage devices were connected to this computer? Based on the USBSTOR Registry keys, 59 USB storage devices were connected to the computer.

c.

When was an iPod first connected to the computer and when was the last update to the Registry key with the serial number of the iPod? The iPod with serial number 000A27001E8CCE94 was first connected to the computer on March 8, 2010 at 2:51:28 UTC. The serial number key was last updated on June 24, 2012 at 2:38:15 UTC.

d.

Search through the NTUSER.dat file. When was the last Adobe Acrobat PDF opened and what was its name? Within NTUSER.dat is Software\Adobe\Acrobat Reader\9.0\AVGeneral\cRecentFiles. The last PDF opened was named Scan0000.pdf and it was opened on September 1, 2015 at 13:29:13 UTC.

e.

Google Update automatically launches and runs on computers using the NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\Run Registry key. Is Google Update installed on this computer and, if so, from where does the executable run? Google Update is installed on the computer and runs from the following location: C:\Users\Katie\AppData\Local\Google\Update\GoogleUpdate.exe

f.

What were the “Typed Paths” (not “Typed URLs”) found in the NTUSER.dat file and when was the last path entered? There were eight paths listed in the “Typed Paths” Registry key, which was last updated on May 12, 2013 at 18:59:03 UTC. They were: url1 url2 url3 url4 url5 url6 url7 url8

C:\Windows\System32 C:\Users\Katie\AppData\Local\Microsoft\Windows C:\Users\Katie\AppData\Local C:\Windows\Tasks C:\Users\Katie\AppData C:\ C:\ProgramData\Microsoft ftp://tonystenniscamp.com/

Chapter 8: Hashing a.

Which files are exact matches? Based on the hashes File-Hashing-2.jpg and File-Hashing-7.docx are identical; File-Hashing-4.exe and FileHashing-10.docx are identical; File-Hashing-6.txt and File-Hashing-8.pptx are identical. Name: File-Hashing-1.docx MD5: 42f001cc50f831180f8378822e59eead SHA1: 020d23c97e904f2bdb469422ec58579fda1cec7c 224

Digital Forensics Workbook

Name: File-Hashing-2.jpg MD5: 1db3c94e386cc8a3cdd8bfffc084f1fa SHA1: 5acd42296bf7f48b40202d460784caf405e1dfdd Name: File-Hashing-3.db MD5: 7b0fb12e841df99f1949cc17dba1a28f SHA1: c8029e7d09061318b5cca19b3e2aadc5c6ce0138 Name: File-Hashing-4.exe MD5: 16c094b54dd883b3f5d3acce341b72eb SHA1: 94e0a0595a6ffbc3fd3a2ad40304842fefb72e10 Name: File-Hashing-5.gif MD5: 9ff357775b3adf0f1ee5cfa53a6e9759 SHA1: 965f75c897038c27f00545922aabf052ef3ea70f Name: File-Hashing-6.txt MD5: d89af1675e9065dec1c2eee62708c97a SHA1: 4a5ff13a248f85ee9ba5e2c4612860b8728483cd Name: File-Hashing-7.docx MD5: 1db3c94e386cc8a3cdd8bfffc084f1fa SHA1: 5acd42296bf7f48b40202d460784caf405e1dfdd Name: File-Hashing-8.pptx MD5: d89af1675e9065dec1c2eee62708c97a SHA1: 4a5ff13a248f85ee9ba5e2c4612860b8728483cd Name: File-Hashing-9.bmp MD5: 998f0fb0f3b051bb4b281a22cb97f04f SHA1: 9b65d220f437c2a9255113b39e53a035624b7f8b Name: File-Hashing-10.docx MD5: 16c094b54dd883b3f5d3acce341b72eb SHA1: 94e0a0595a6ffbc3fd3a2ad40304842fefb72e10 b.

Which files have the hash 1db3c94e386cc8a3cdd8bfffc084f1fa? Five files have the hash of 1db3c94e386cc8a3cdd8bfffc084f1fa: File-Hashing-2.jpg, FileHashing-7.docx, File-Hashing-2.docx, File-Hashing-2.jpg, and File-Hashing-7.docx !. This is shown in Figure 24-1.

225

Figure 24-1: Files with the hash of 1db3c94e386cc8a3cdd8bfffc084f1fa. c.

Which files have the hash a26337b5c811c0ea3d5f1a228495984a30c7c75f? No files have this hash value. This hash nearly identical to one of the existing hash values, but it is not an exact match.

d.

What files matched the hashes provided? 087f8deebae1d99821b276a9f8b97730 f25849c99f2350455534b43d74e1264f 26ddb1ff59bd0052de9cbafcf4943dcf 18ce1488e14e2b70a8bea174c11db7f6

e.

filea fileb filec filed

– matches Flowers.jpg – no matches – matches IMG_0081.jpg – matches IMG_1025.jpg

How many more files were identified with the new search? 89952c4fb4da949598e6c97bf4acccc6 filee – matches Gecko.jpg

Chapter 9: File Signature Analysis a.

What is the file signature, file type, and file extension associated with File2? File: File2 File signature: D0 CF 11 E0 A1 B1 1A E1 File type: Microsoft Excel Spreadsheet File extension: .xls

226

Digital Forensics Workbook

b.

What is the file signature, file type, and file extension associated with File3? File: File3 File signature: File type: File extension:

c.

What is the file signature, file type, and file extension associated with File4? File: File4 File signature: File type: File extension:

d.

4D 5A Dynamic Link Library .dll

What is the file signature, file type, and file extension associated with File8? File: File8 File signature: File type: File extension:

h.

4D 5A Windows executable .exe

What is the file signature, file type, and file extension associated with File7? File: File7 File signature: File type: File extension:

g.

4C 00 00 00 01 14 02 00 Windows shortcut .lnk

What is the file signature, file type, and file extension associated with File6? File: File6 File signature: File type: File extension:

f.

53 43 43 41 Windows Prefetch file .pf

What is the file signature, file type, and file extension associated with File5? File: File5 File signature: File type: File extension:

e.

25 50 44 46 Adobe Acrobat Portable Document Format .pdf

FF D8 FF E0 xx xx 4A 46 49 46 00 Graphics Files – JPEG .jpg

What is the file signature, file type, and file extension associated with File9? File: File9 File signature: File type: File extension:

89 50 4E 47 0D 0A 1A 0A Portable Network Graphics File .png

227

Chapter 10: File Analysis a.

Who created the PowerPoint presentation? The PowerPoint presentation was last modified on a computer, where PowerPoint had the user name of “Nancy.”

b.

When was the PowerPoint presentation created? The PowerPoint presentation was created on October 8, 2015 at 18:33:33 Zulu.

c.

Who last modified the PowerPoint presentation? The PowerPoint file was last modified on a computer, where PowerPoint had the user name of “Jim.”

d.

When the PowerPoint presentation modified? The PowerPoint presentation was last modified on October 8, 2015 at 19:30:53 zulu

e.

Who created the Excel spreadsheet? The Excel spreadsheet was created on a computer, where Excel had the user name of “Katherine.”

f.

When was the Excel spreadsheet created? The Excel spreadsheet was created on October 8, 2015 at 21:34:00 Zulu.

g.

Who last modified the Excel spreadsheet? The Excel spreadsheet was last modified on a computer, where Excel had the user name of “Kaiser Soze.”

h.

When was the Excel spreadsheet last modified? The Excel spreadsheet was last modified on October 8, 2015 at 21:34:00 Zulu.

i.

When was photo2.jpg taken based on the EXIF data? The picture was taken on August 25, 2011 at 9:27:36AM.

j.

Where was the camera located when photo2.jpg was taken based on the EXIF data? The camera was located at 37° 44’ 48.40”, -119° 35’ 30.60”, which is Yosemite National Park.

k.

Are there any indicators in the EXIF data, which suggest the picture or EXIF data in photo2.jpg were manipulated by a third-party tool? No, there are no values in the EXIF data, which suggest file manipulation

l.

When was photo3.jpg taken based on the EXIF data? The picture was taken on October 20, 2013 at 10:43:35.

228

Digital Forensics Workbook

m. Where was the camera located when photo3.jpg was taken based on the EXIF data? The camera was located at 43° 32’ 52.84”, - 79° 39’ 17.72”, which is in Mississauga, Canada. n.

Are there any indicators in the EXIF data, which suggest the picture or EXIF data in photo3.jpg were manipulated by a third-party tool? Yes, based on the JFIF_APP14 and Software fields, the photo was manipulated with Adobe Photoshop Lightroom 5 for Windows.

o.

When was photo4.jpg taken based on the EXIF data? The photo was taken on January 14, 2015 at 13:10:38.

p.

Where was the camera located when photo4.jpg was taken based on the EXIF data? There is no GPS information located in the EXIF data.

q.

Are there any indicators in the EXIF data, which suggest the picture or EXIF data in photo4.jpg were manipulated by a third-party tool? Based on JIFIF_APP14, the photo was modified with Photoshop.

r.

When was photo5.jpg taken based on the EXIF data? The photo was taken on September 30, 2015 at 11:25:58.

s.

Where was the camera located when photo5.jpg was taken based on the EXIF data? The cameras located at 28° 16’ 23.46”, - 81° 38’ 52.32”, which is in Championsgate, Florida.

t.

Are there any indicators in the EXIF data, which suggest the picture or EXIF data in photo5.jpg were manipulated by a third-party tool? Based on the JFIF_APP14 field the photo was edited with Photoshop.

Chapter 11: Internet History a.

How many of the visited pages, as shown in Figure 11-2, returned server codes other than 200/OK? All three visited pages returned server codes of 200/OK.

b.

Which sites provided redirects associated with moves, either temporary or permanent? Advertisement sites, provided redirects. This included: google.com, youtube.com, doubleclick.net, secure-us.imrworldwide.com, beap-bc.yahoo.com, mediaplex.com, adadvisor.net, dotomi.com, and tags.bluekai.com.

Chapter 12: E-mail Header Analysis a.

From which e-mail account did it originate? The sender of the e-mail was [email protected].

229

b.

What was the public facing IP address of the computer, which signed into Yahoo! to send the e-mail? The IP address was 214.3.138.234.

c.

What is the first e-mail server to receive the e-mail and forward it? The first mail server to receive the e-mail was web162101.mail.bf1.yahoo.com, which was a mail server used by Yahoo! webmail clients.

d.

Who was the sender of the e-mail? The sender of the e-mail was [email protected].

e.

To whom was the e-mail sent? The e-mail was sent to a list serve: [email protected].

f.

What anti-virus mail appliance/product scanned the e-mail? Iron Port with E-Sophos was used to scan the e-mail.

Chapter 13: Prefetch Files a.

How many Prefetch files exist for the Notepad application and what are there names? There are two Prefetch files for notepad.exe. They are: NOTEPAD.EXE-5D4BE236.pf NOTEPAD.EXE-EB1B961A.pf

b.

What conclusion can be drawn based solely on the names of the Prefetch files associated with Notepad? The names of the files contain hashes of the path to the executables. Based on the different hashes, i.e., 5D4BE236 and EB1B961A, the executables were in two different locations.

c.

What is the location of the executable for the various Notepad Prefetch files? One executable was located on a desktop of the admin profile, i.e., C:\Users\admin\Desktop\notepad.exe (for NOTEPAD.EXE-5D4BE236.pf) One executable was located in the default location, i.e., C:\Windows\System32\notepad.exe (for NOTEPAD.EXE-EB1B961A.pf)

d.

When was the last time the Microsoft Management Console was run? MMC.exe was last run on October 7, 2015 at 6:18:24AM.

e.

How many times was the command prompt run? Based on the information in the Run Counter column, CMD.EXE was run 25 times.

f.

Based on the Prefetch files, what is the process path associated with the running of Java? JAVA.EXE was being run from the Autopsy directory, i.e., C:\Program Files\Autopsy-3.1.3\jre\bin\java.exe

230

Digital Forensics Workbook

g.

Which browser was most often used – Microsoft Internet Explorer, Mozilla Firefox, or Google Chrome? Based on the information in the Run Counter column, Google Chrome was used most often. CHROME.EXE was run 59 times. IEXPLORER.EXE was run a total of three times. The 64-bit version was run twice and the 32-bit version was run once. Based on this collection of Prefetch files, Firefox was not run or not installed on the computer.

Chapter 14: Shortcut/Link (.LNK) files and Jump Lists a.

What was the volume name of the external storage connected to the computer under the driver letter F:? The volume name is KATIE.

b.

What was the name of the computer on which the directory “2011-06-01 Mexico” existed? The directory “2011-06-01 Mexico” was a subdirectory in C:\Users\admin\Desktop\photos\ on the computer named PC-Henry.

c.

When was the file named 28.jpg created? Where was it stored? When was it last accessed? The file named 28.jpg was created in C:\Users\Katie\Desktop\TravelPics\ on February 28, 2015 at 8:47:04 PM. It was last accessed one second later at 8:47:05 PM.

d.

Based on the data returned from MiTeC Windows File Analyzer for the shortcut named “Invoice LH1012, PCMA, Cyber Security.link,” what type of file was the target? When was it created? On what type of file system was it stored? The shortcut points to a Microsoft Word document with the extension .docx. which was created on August 31, 2015 at 8:30:22 PM. The path to the target file is F:\, which suggests an external storage device was used to store the file. Based on the Last Accessed timestamp, which only contains a date, this file system was likely a FAT-based file system.

e.

Based on the information returned from JumpLister, when was Remote Desktop, i.e., mstsc.exe, last run? mstsc.exe was run on May 16, 2013 at 12:39:44 AM.

f.

What was the name of the file accessed by Safari? Safari, version 3.2.3, was used to access POKEN.HTM, which was saved on media using G:\.

g.

How many files were accessed by Notepad and what files were accessed by it that were not text, i.e., .txt, files? There are references to 21 files being accessed with Notepad.exe. The following non-text files were accessed: Spike.htm, core.xml, Webpage.htm, M. Heins write up web format.htm, and autorun.inf.

231

h.

The owner of the computer from which these Jump Lists were extracted is in the middle of a copyright infringement law suit. The owner is claiming that her graduate thesis was written before someone else published a nearly identical work on March 14, 2011. Based on the Jump Lists for Microsoft Word, when was the draft thesis saved to media? A pointer to a file named “Draft Thesis.doc” has a creation time stamp of October 9, 2010 at 10:07:17 PM.

Chapter 15: Thumbnail Caches a.

How many pictures were viewed in this directory? There were four cached pictures in the database.

b.

What was the subject of these pictures? The subject of these pictures was the movie Star Wars.

c.

What is the location for photo2.jpg? The path to the photo was C:\Users\admin\Desktop\Trash\Pictures\photo2.jpg

d.

What are the vast majority of cached thumbnails of? The vast majority of cached images were for icons of folders.

e.

What is contained within the thumbnail? The thumbnail image is of a screenshot of FTK Imager.

Chapter 16: Grep Searches a.

Using the data files in logfiles.zip, conduct a Grep search to identify the number of times there was a successful connection to the web site. How many occurrences were there? HTTP status code 200 indicates a successful connection. There were 955 occurrences across six files.

b.

Using the data files in logfiles.zip, conduct a Grep search to identify the number of times users experienced a “File Not Found” error on the web site. How many occurrences were there? HTTP status code 400 indicates a “file not found” error. There were 37 instances across three files.

c.

Write a Grep expression to search for a phone number. Phone numbers can take a variety of formats. Here are three common search strings for phone numbers: xxx-xxx-xxxx [0-9]\{3\}\-[0-9]\{3\}\-[0-9]\{4\} (xxx)xxx-xxxx ([0-9]\{3\})[0-9]\{3\}\-[0-9]\{4\} xxx xxx xxxx [0-9]\{3\}\s[0-9]\{3\}\s[0-9]\{4\}

232

Digital Forensics Workbook

d.

Write a Grep expression to search for a domain name. Domain names may contain lowercase and capitalized letters, numbers, and dashes. The following searches for the format domain.domain type, e.g., name.com, my-name.com, or my-name.info: [a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b

e.

Write a Grep expression to search for an e-mail address. The following search identifies e-mail addresses: \b[a-zA-Z0-9.-._]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b

Chapter 17: File Carving a.

How many files existed on the media? There were nine files on the media.

b.

What were the file types? The following file types were found on the media: One Microsoft Excel spreadsheet One Microsoft Word document Two JPGs One animated GIF Two PDFs One Prefetch file Two executables

c.

What were the files’ sizes? The sizes of the files were: Microsoft Excel spreadsheet: 32,118 bytes Microsoft Word document: 71,810 bytes JPG-1: 262,372 bytes JPG-2: 73,268 bytes Animated GIF: 952,370 bytes PDF-1: 69,648 bytes PDF-2: 150,576 bytes Prefetch file: 17,818 bytes Executable-1: 12,288 bytes Executable-2: 36,864 bytes

d.

How many Portable Executable (PE) headers appeared? Two PE headers were listed under winpe.txt.

e.

How many executables should exist in the media? Given that there were two separate PE headers, there should be two executables.

233

f.

Review the list of entries associated with zip.txt. Based on the information listed in the “Feature File” pane, what files were found? Based on the list of items, it appears that an Excel workbook and Word document were on the media. There did not appear to be any other compressed files.

Chapter 18: Timestamps and Timelines

a.

When did the system event logs start and stop on October 2, 2015? The System event logs started on October 1, 2015 at 1:12:41 AM UTC. The System event logs stopped on October 2, 2015 at 7:02:20 AM UTC.

b. Based on a comparison of these times against the Security log for the same day, which log runs longer? The System and Security event logs appeared to start at the same time; however, the Security event log closed before the System event log closed. The System event log runs longer by a few seconds. (A review of other days shows that the System event log records the system startup and the Security event starts before the Security log.) c.

How many timestamps were recovered? A total of 63 events were identified, when the output file was opened with Microsoft Excel.

Chapter 19: Recovering Passwords a.

What is the password for the account named Administrator? It is empty – no password is associated with the account.

b.

What is the password for the account named Guest? It is empty – no password is associated with the account.

c.

What is the password for the account named HelpAssistant? The password could not be found in this set of rainbow tables.

d.

What is the password for the account named Jim? The password for the account is dummy.

e.

What is the password for the account named test_account? The password could not be found in this set of rainbow tables.

234

Digital Forensics Workbook

Chapter 21: Memory Acquisition and Analysis a.

Name at least three artifacts, which will appear on a target system, when a memory acquisition is performed, where the Memoryze application is run from a USB storage device and the acquisition’s output is on the USB storage device. (You can assume that Memoryze had been installed previously on the USB storage device and that it was not necessary to download and install the application on the target computer.) The USBSTOR Registry key (along with other related Registry keys) will contain a new entry for the USB Storage device. The Windows Event Logs would be updated. A new Windows Prefetch would appear for the Memoryze application

b.

Using Volatility, what is the suggested profile for memory2.img? The suggested profile for memory2.img is WinXPSP2x86 or WinXPSP3x86.

c.

What are the process names for the following running Process IDs found in memory2.img: 1472 and 1888? What is the relationship between the two? 1472 is Explorer and 1888 is Firefox. 1472 is the Process ID, which was used to launch 1888.

d.

What are the names of the DLLs loaded by Process ID 3260? Process ID 3260 is cmd.exe. It has the following DLLs: C:\WINDOWS\system32\ntdll.dll C:\WINDOWS\system32\kernel32.dll C:\WINDOWS\system32\msvcrt.dll C:\WINDOWS\system32\USER32.dll C:\WINDOWS\system32\GDI32.dll C:\WINDOWS\system32\ShimEng.dll C:\WINDOWS\AppPatch\AcGenral.DLL C:\WINDOWS\system32\ADVAPI32.dll C:\WINDOWS\system32\RPCRT4.dll C:\WINDOWS\system32\Secur32.dll C:\WINDOWS\system32\WINMM.dll C:\WINDOWS\system32\ole32.dll C:\WINDOWS\system32\OLEAUT32.dll C:\WINDOWS\system32\MSACM32.dll C:\WINDOWS\system32\VERSION.dll C:\WINDOWS\system32\SHELL32.dll C:\WINDOWS\system32\SHLWAPI.dll C:\WINDOWS\system32\USERENV.dll C:\WINDOWS\system32\UxTheme.dll C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_xww_35d4ce83\comctl32.dll C:\WINDOWS\system32\comctl32.dll C:\WINDOWS\system32\Apphelp.dll

235

e.

Were there any Internet/network connections established in memory2.img? If so, what was the process name was calling them? Yes, there were network connections. Process ID 1888, Firefox, was the associated process. Note: CONNECTIONS was used.

f.

What is the suggested profile for memory3.vmem? The suggested profile is WinXPSP2x86 or WinXPSP3x86.

g.

What are the names of the processes associated with Process IDs 2044 and 936 in memory3.vmem? Process ID 2044 is Internet Explorer (IEXPLORE.EXE) and Process ID 936 is Service Host (svchost.exe).

h.

Were there any Internet/network connections established in memory3.vmem? If so, what were they? There no connections in memory for this computer/virtual machine.

i.

What is the suggested profile for memory4.img? The suggested profile is WinXPSP2x86 or WinXPSP3x86.

j.

Review the list of running processes in memory4.img. Which process is associated with wireless scanning software? (Note: You may need to conduct some Internet searches to assist with finding the answer.) Process ID 2888, which is assigned to NetStumbler.exe, is used for wireless scanning.

Chapter 22: Network Traffic a.

What results were displayed after applying the filter? Applying the filter ip.addr == 192.168.17.134 displayed all packets, where the IP address 192.168.17.134 was in either the Source or Destination column.

b.

How long did it take for the scan to complete? The first 200 packets were transferred in 0.008874 seconds. Packet 206 was completed in 8.88986 seconds.

c.

What occurred in packets 16-18? And what port is involved? A TCP Three-way Handshake occurred for TCP 135, which is opened on the target computer.

d.

Based on packets 71 to 140, what type of flags are typically seen in network traffic involving this type of scan? A SYN is sent from the source and is followed up with a RST, ACK from the destination. These are response to the closed ports on the target.

e.

What is taking place in this network packet capture? The web sites for CNN and Yahoo! were visited. Google’s DNS server, 8.8.8.8, was PINGed.

236

Digital Forensics Workbook

Chapter 23: Mobile Apps and Data a.

Examine the packages.xml file. What are the permissions associated with com.roidapp.photogrid? com.roidapp.photogrid has the following permissions: READ_EXTERNAL_STORAGE, GET_TASKS, BILLING, WRITE_EXTERNAL_STORAGE, INTERNET, VIBRATE, ACCESS_WIFI_STATE, and ACCESS_NETWORK_STATE.

b.

Examine the packages.xml file. What permissions would an app have if it accessed com.google.android.calendar.uid.shared (user ID 10055)? An app would have READ_SYNC_STATS, WRITE_CALENDAR, READ_GSERVICES (for the Google framework), USE_CREDENTIALS, WRITE_SYNC_SETTINGS, INTERNET, READ_SYNC_SETTINGS, SUBSCRIBED_FEEDS_READ, GET_ACCOUNTS, SUBSCRIBED_FEEDS_WRITE, AND GOOGLE_AUTH (for Google Apps).

c.

Examine the master.db database, specifically the Profile table. What is the BlackBerry PIN for this user? The BlackBerry Messenger PIN for this user was 79081225.

d.

Examine the master.db database, specifically the Text Messages table. When was the text message “Round 3 reply” sent? The timestamp for the text message was 1406832884. (This is an Epoch timestamp, which converts to July 31, 2014 at 18:54:44 GMT.

e.

Examine the master.db database, specifically the Users table. What is the name associated with User ID 10? In the table the display name for the user is harry q smith.

f.

To what network did the iOS device connect on September 14, 2014 at 14:52 Zulu? The iOS device connected to the wireless network with the name Ritz-Carlton Wireless.

g.

What type of encryption, if any, is used on the network using the SSID of private? The wireless network using the SSID of private uses WP2 Personal.

237

238

Digital Forensics Workbook

ABOUT THE AUTHOR Michael Robinson is a cyber threat intelligence analyst and senior digital forensic examiner for a large, international corporation. Michael has conducted computer and mobile device forensic investigations for commercial and government agencies. He previously performed computer and cell phone exploitation and analysis for customers in the U.S. Intelligence Community. Additionally, Michael performed computer forensic examinations in the FBI’s Investigative Analysis Unit, where he assisted special agents with counterintelligence and criminal cases. Michael is the former CIO of the U.S. Department of Defense’s Business Transformation Agency, where he oversaw all information technology and information assurance operations for the agency, including overseeing all incident response and forensic investigations. Michael is the Program Coordinator and Adjunct Professor for Stevenson University’s Master of Science in Cyber Forensics. He is the recipient of Stevenson University’s Rose Dawson Award for outstanding adjunct faculty member of the year. He teaches courses in mobile device forensics, intrusion analysis, and cyber warfare. Michael is also an Adjunct Professor in George Mason University’s Master of Science in Computer Forensics. He holds a Bachelor of Science in Chemical Engineering, a Master of Science in Information Assurance, a Master of Science in Forensic Studies (concentrating on computer forensics), and a graduate certificate in Applied Intelligence. Michael has presented at numerous national and international conferences including DEF CON, the DoD and U.S. Cyber Crime Conferences, CEIC, InfoSec World, and the BCISS Conference on Intelligence Analysis. He has authored over a dozen journal articles and a book on disaster recovery planning for nonprofit organizations.

239

240

Digital Forensics Workbook

INDEX Android apps ...........................................211, 219-220 .apk files ...........................................211, 219-220 androidmanifest.xml ...................................... 211 packages.xml ........................................... 211-213 Anti-virus AVG ............................................................. 32, 35 Mounted files .............................................. 35-36 VirusTotal ........................................................ 218 Astro Grep ....................................................... 132-135 Autopsy .................................................... 52-55, 82-86 Autoruns ....................................................... 37, 39-41 Locations .............................................. 31, 37, 41 Browser Helper Object (BHO) .............................. 41 Bulk Extractor .........................................137, 149-151 Carver Recovery......................................137, 147-148 Carving ............................................................. 137-151 classes.dex ................................................................ 218 Cookies ..................................................................... 101 DB Browser for SQLite......................................... 212 dd ................................................................. 12, 20-23 dex2jar ...................................................................... 217 DNS Query...................................................... 197-198 Email headers .......................................................... 107 EnCase ................................................................. 44-51 Epoch Time ............................................................... 65 EXIF data ...................................................... 92, 97-99 ExifREAD ........................................................... 96-99 Expert Witness Format (.E01) ............................... 12 File analysis ................................................................ 91 Microsoft Office ......................................... 93-95 Pictures ......................................................... 97-99 File carving ...................................................... 137-151 File share .................................................................... 22 File signatures ............................................................ 87 File systems ................................................................ 25 Identification ..................................................... 26 Filters Wireshark .........................................194-196, 206 fsstat ............................................................................ 26 Forensic image .................................................... 11, 43 FTK Imager .............................................13, 37, 56-60 FTK Imager Lite ....................................... 11, 184-185 Grep .................................................................. 131-136 Hash Sets ............................................................. 82-86 Hashing ...................................................................... 73

HashCalc ........................................................ 74-77, 80 HashMyFiles......................................................... 78-99 Internet History .............................................. 101-106 Apple Safari ..................................................... 101 Google Chrome ...................................... 101-104 Microsoft Internet Explorer ................. 101, 106 Mozilla Firefox ............................... 101, 105-106 jd-gui ................................................................. 219-220 Jump Lists ........................................................ 119-122 JumpLister ....................................................... 119-122 Kali Linux ................................................................ 164 log2timeline ..................................................... 160-162 Mac OS X ......................................... 25, 101, 217-218 Property List (.plist) files ....................... 217-218 Memory analysis ..................................................... 179 Capture............................................................. 179 Analysis with Volatility .......................... 186-190 Memoryze ........................................................ 180-181 MiTeC Windows File Analyzer ......... 116-118, 157-158 Windows Registry Recovery ...................... 66-68 Mounting forensic images ....................................... 31 Netcat .................................................................... 23-24 Network traffic .............................. 191, 199-200, 209 DNS Query ............................................. 197-198 Network scans ................................................ 209 Ping ........................................................... 192-196 TCP Three-way handshake ................... 199-200 Nirsoft BrowserHistoryView ..................................... 106 ChromeCacheView ................................ 102-103 ChromeHistoryView .............................. 103-104 MozillaCacheView.......................................... 106 MozillaHistoryView ....................................... 105 WinPrefetchView ........................... 112, 154-155 Nmap ........................................................................ 209 NTFS Change ........................................................ 153 Ophcrack ......................................................... 164-171 OSFMount ........................................................... 32-34 Ping ................................................................... 192-196 pList .......................................................................... 217 pList Editor Pro ...................................................... 217 Prefetch files .................................................... 111-113 Recovering files.................................................... 43-60 Autopsy ......................................................... 52-55 241

EnCase ..........................................................44-51 FTK Imager .................................................56-60 Recovering passwords ........................................... 161 RegEdit .................................................................. 8, 62 Registry Files NTUser.dat ......................................... 61, 69 Security ...................................................... 61 Software ......................................... 40-42, 61 System ........................................................ 61 Keys Consent Banner ...................................63-64 ControlSet ................................................. 68 IP addresses .........................................67-68 MRU entries ....................................115, 153 Product information ...........................64-65 Typed Paths .............................................. 72 Typed URLs .............................................. 70 USB storage devices ................................ 71 WriteProtect ................................................ 9 RegRipper .............................................................69-72 Regular Expressions ....................................... 131-136 Shortcuts/Link (.lnk) Files ...................... 91, 115-118 Sleuth Kit, The .......................................................... 26 fsstat ................................................................... 26 SQLite database .............................................. 214-215 Sysinternals ................................................................ 37 TCP Three-way Handshake .......................... 199-200 Timelines .................................................. 153, 158-159 Timestamps ...................................... 65, 125, 153-159 Thumbnail caches ........................................... 123-129 Thumbnailcache.db ........................ 123, 126-129 Thumbs.db .............................................. 123-125 Verification .................................................... 18, 80-81 Volatility ........................................................... 186-190 Volume Block .............................................................27-29 Cluster ...........................................................27-29 ID...................................................................27-29 Name .............................................................27-29 Sector.............................................................27-29 Web site lookups ............................................ 208-209 Archive.org ...................................................... 209 Cached pages........................................... 208-209 Viewcached.com ............................................. 208 Webcitation.org .............................................. 209 Windows Event Logs .................................... 158-159

Windows File Analyzer ................. 116-118, 155-156 Windows Registry Recovery .............................. 66-68 Windows.edb ...................................................126-129 WinHex .......................................................................88 WinPrefetchView ................................... 112, 154-155 Wireshark ..........................................................192-209 Capture .....................................................205-207 File Recovery .................................................. 207 Filters ............................................... 194-196, 206 host........................................................... 206 ip.addr ...................................................... 235 ip.dst......................................................... 195 ip.src ......................................................... 194 TCP Stream ..............................................201-203 Write blockers .............................................................. 9 WriteProtect ......................................................... 9

242