· 5 years ago · Feb 18, 2020, 09:02 AM
11
2Curs
3L e c t o r d r. i n g . A l i n P U N C I O I U
4Criminalitatea informatică, colectarea și investigarea probelor
52
6 What is forensics
7 Sources of Data and Evidence
8 Forensically Sound Evidence Acquisition Techniques
9 Technical Investigations
103
11 Definition:
12 Preservation, identification, extraction, documentation, and
13interpretation of computer media for evidentiary and/or root cause
14analysis using well-defined methodologies and procedures.
15 Methodology:
16 Acquire the evidence without altering or damaging the original.
17 Authenticate that the recovered evidence is the same as the
18original seized.
19 Analyze the data without modifying it.
204
21 Computer systems
22 Logical file system
23 File system
24 Files, directories and folders, FAT, Clusters, Partitions, Sectors
25 Random Access memory
26 Physical storage media
27 magnetic force microscopy can be used to recover data from overwritten area.
28 Slack space
29 space allocated to file but not actually used due to internal fragmentation.
30 Unallocated space
315
32Wide range of computer crimes and misuses
33 Non-Business Environment: evidence collected by Federal, State and local authorities
34for crimes relating to:
35 Theft of trade secrets
36 Fraud
37 Extortion
38 Industrial espionage
39 Position of pornography
40 SPAM investigations
41 Virus/Trojan distribution
42 Homicide investigations
43 Intellectual property breaches
44 Unauthorized use of personal information
45 Forgery
46 Perjury
476
48 Computer related crime and violations include a range of activities
49including:
50 Business Environment:
51 Theft of or destruction of intellectual property
52 Unauthorized activity
53 Tracking internet browsing habits
54 Reconstructing Events
55 Inferring intentions
56 Selling company bandwidth
57 Wrongful dismissal claims
58 Sexual harassment
59 Software Piracy
607
61 Real evidence - physical objects that play a relevant role in the crime
62 Physical HDD or USB
63 Computer – box, keyboard, etc.
64 Best evidence - can be produced in court
65 Recovered file
66 Bit – for – bit snapshot of transaction
67 Direct evidence – eye witness
68 Circumstantial evidence – linked with other evidence to draw conclusion
69 Email signature
70 USB serial number
71 Hearsay – second-hand information
72 Text file containing personal letter
73 Business records – routinely generated documentation
74 Contracts and employee policies
75 Logs
76 Digital evidence – electronic evidence
77 Emails / IM
78 Logs
798
80 Recover deleted files
81 Find out what external devices have been attached and what users accessed them
82 Determine what programs ran
83 Recover webpages
84 Recover emails and users who read them
85 Recover chat logs
86 Determine file servers used
87 Discover document’s hidden history
88 Recover phone records and SMS text messages from mobile devices
89 Find malware and data collected
909
9110
92 Legal procedures
93 Not compromising evidence
94 Treat every piece of evidence as it will be used in court
95 Documentation*
96 Chain of Custody
97 Write Blocks
98 Imaging
99 Bit by bit copy of a piece of electronic media (Hard drive)
10011
101OSCAR 3
102 Obtain information
103 Strategize
104 Collect evidence
105 Analyze
106 Report
10712
108 Incident description
109 Information regarding incident discovery
110 Known persons involved
111 Systems and / or data known to be involved
112 Actions taken by organization since discovery
113 Potential legal issues
114 Working time frame for investigation and resolution
115 Specific goals
11613
117 Working business model and enforceable policies
118 Potential legal issues involved with said business model and policies
119 Organizational structure
120 Network topology
121 Possible network evidence sources
122 Incident response management procedures
123 Central communication systems (investigator communication and evidence
124repository)
125 Available resources
126 Staff
127 Equipment
128 Funding
129 Time
13014
131 Understand the goals and time frame for investigation
132 Organize and list resources
133 Identify and document evidence sources
134 Estimate value of evidence versus value of obtaining it
135 Prioritize based on this estimate
136 Plan of attack – both for acquisition and analysis
137 Set up schedule for regular communication between investigators
138 Remember that this is fluid and will most likely have to be adjusted
13915
140 Document, document, document
141 Lawfully capture evidence
142 Make cryptographically verifiable copies
143 Setup secure storage of collected evidence
144 Establish chain of custody
145 Analyze copies only
146 Use legally obtained, reputable tools
147 Document every step
14816
149 Show correlation with multiple sources of evidence
150 Establish a well documented timeline of activities
151 Highlight and further investigate events that are potentially more
152relevant to incident
153 Corroborate all evidence, which may require more evidence gathering
154 Reevaluate initial plan of attack and make needed adjustments
155 Make educated interpretations of evidence that lead to a thorough
156investigation, look for all possible explanations
157 Build working theories that can be backed up by the evidence (this is
158only to ensure a thorough investigation)
159 SEPARATE YOUR INTERPRETATIONS FROM THE FACTS
16017
161 Every report must be:
162 Understandable by nontechnical people
163 Complete and meticulous
164 Defensible in every detail
165 Completely factual
166CHAIN OF
167CUSTODY
168Procedure to Establish the Chain of Custody
169Form/ Report sections
170CHAIN OF
171CUSTODY
172Procedure to Establish the Chain of Custody
1731. Save the original materials.
1742. Take photos of physical evidence.
1753. Take screenshots of digital evidence content.
1764. Document date, time, and any other information of receipt.
1775. Inject a bit-for-bit clone of digital evidence content into our
178forensic computers.
1796. Perform a hash test analysis to further authenticate the working
180clone.
181Form/ Report sections:
182•Identity of the reporting agency
183•Case identifier or submission number
184•Case investigator
185•Identity of the submitter
186•Date of receipt
187•Date of report
188•Descriptive list of items submitted for examination, including serial
189number, make, and model
190•Identity and signature of the examiner
191•Brief description of steps taken during examination, such as string
192searches, graphics image searches, and recovering erased files
193•Results/conclusions
194BASICS
19521
196 1 Byte holds 8 bits (holds a characther)
197 8 bits holds up to 256.
198 Signed value takes one bit, so now the value is 2n-1 to 2n
199 Boolean type is used to represent a bit (0 or 1).
200 Useful for flags
201 Strings is an “array” of characters with an extra character for null-termination (c
202style strings)
203 Other type exists: int, long, double, float…
20422
205• Encoding – Translates a piece of input data into a format more suitable for transport/storage
206• Decoding – Translated encoded data to its original format - message is the same as before encoding
207• Types:
208o Text encoding: ASCII, UTF-7, UTF-8, UTF-16
209o Binary encoding: base64, base64 compressed
210o Translated binary data to printable ASCII characters
211o A-Z, a-z, 0-9, (“+” and (“/” or “-”))
212o May use “=“ for padding
213o Compression: MPEG2, MPEG4, MP3, H.264
214• Encryption
215o Subset of encoding algorithms, with the purpose of hiding a message from unauthorized recipients
216o Symmetric or Asymmetric key encryption
217ENCODING VS ENCRYPTION
21823
219ENCODING: ASCII AND UNICODE TEXT
220 By utilizing the full capacity of 1 byte it’s
221possible to store any single value between 0
222and 255
223 The standard for representing characters is
224ASCII – defines codes for 128 characters
225• ASCII doesn’t cater for other languages
226other than English
227 Unicode standard – provides a unique
228number for every character, irrespective of
229the platform, program or language.
230• implements multiple methods of
231encoding characters for storage to disk:
232UTF-8 and UTF-16 are the most common
233• UTF-8: uses one to four 8-bit values for
234characters (compatible with ASCII)
235• UTF-16: uses one or two 16-bit values
236(standard format for the Windows API,
237Java and .NET environments)
238ASCII table
23924
240Offset
241– In Computing, an offset refers to either the start
242of a file or the start of a memory address.
243– Its value is added to a base address to derive
244the actual address
245Hex editors
246– Programs meant to examine the physical (byte
247per byte) structure of a binary file
248– In forensics, hex editors are used to view stored
249or deleted data from both files and disk sectors
250HEX EDITORS
25125
252HASHING ALGORITHMS
253• Hashing is a way to represent a piece of digital data (file, text, hard-drive) with a unique
254numerical value, by applying a mathematical algorithm to the data.
255• The value returned is fixed-size, known as hash value, hash sum or hash.
256• Key aspect of cryptographic hash functions: collision resistance (nobody should be able
257to find two different input values that result in the same hash output.)
258• Three common algorithms used in the field of computer forensics: CRC, MD5 and SHA
259 Cyclic Redundancy check (CRC)
260 Error-detecting code used in digital networks and storage devices to detect
261accidental changes to raw data.
262 Forensics use-case: sector checking, ensuring a sector’s data is good by running a
263CRC against the data
264 No authentication and easily reversible – weak as a validation hashing tool
265 Discontinued in computer forensics for file verification
26626
267MESSAGE DIGEST 5 (MD5)
268• Produces a 128-bit (16 bytes) hash value also known as a
269message digest
270• Relatively fast and simple implementation
271• Run against a file, partition or entire drive, the result will
272be a unique 128-bit value
273• Extensive vulnerabilities, weaknesses have been
274exploited in the field (2012 – Flame malware)
275• Still widely used, mostly by security research and
276antivirus companies
277• Sample MD5:
278 7fc56270e7a70fa81a5935b72eacbe29
279 7f|c5|62|70|e7|a7|0f|a8|1a|59|35|b7|2e|ac|be|29
280input
281input
28227
283SECURE HASH ALGORITHM (SHA)
284• SHA-1
285 Newer than MD5 but also slower in terms of computing time
286 It has a 160-bit message digest (written as a hexadecimal number)
287 “No successful cryptographic attacks exist against it”
288 Other types of attacks are possible, it’s slowly being replaced by a subsequent version
289• SHA-2
290 Actually a family of hash functions with digests of 224, 256, 384 or 512 bits
291 Most popular versions are SHA-256 and SHA-512
292 Used in authenticating Debian GNU/Linux software packages, secure password hashing in
293Unix/Linux, verifying Bitcoin transactions, DKIM message signing standard
294• SHA-3
295 In 2012, the algorithm Keccak was chosen by the NSA as the next SHA hashing algorithm (SHA-3)
296 Not widely used, basically a backup if SHA-2 becomes compromised
297 Same size as SHA-2 for resulting hash values: 224, 256, 384 or 512
29828
299FORENSIC USAGE OF HASHING
300• Verification – can be used to show that a data object (file, partition,
301disk image) has not changed during the forensic process.
302• File exclusion – hash analysis (value match) can be used to
303eliminate files (operating system and application program files)
304from an examination.
305• File flagging – a list of hash values for known or sought out files
306can be used to search for and identify files of interest on a system
307(e.g. documents containing proprietary data)
308• Clone authentication – a hash of an original device can be
309compared to a cloned version of that media, in order to confirm a
310forensically sound copy was made
311Lab 1
312Practical exercise:
313HxD and CybeRChef
314https://mh-nexus.de/en/hxd/
315https://gchq.github.io/CyberChef/
316https://aesencryption.net/
31730
318Forensic
319acquisition
32031
321• Live data acquisition
322– Involves collecting volatile information that resides in registries, cache and RAM
323– Contamination is harder to control because tools and commands may change file access dates and
324times, use shared libraries or DLLs, trigger the execution of malicious software or even force a reboot
325and lose all volatile data.
326– Types of volatile information:
327 System information: current configuration, current date and time, running processes, open files, clipboard data etc.
328 Network information: open connections and ports, routing information and configuration, ARP cache.
329• Static data acquisition
330– Collecting data that remains unaltered even if the system is powered off
331Based on the resulting image, data acquisition can also be:
332- Logical: only active content, does not include deleted data.
333- Physical: bit-by-bit image of the device, including deleted data
334DATA ACQUISITION TYPES
33532 EVIDENCE AND FORENSIC BACKUPS
336• Evidence: anything that can be presented in support of an assertion.
337• Valid evidence means that a forensic examination should involve two critical areas:
338 Use sterile and validated media for backups/clones
339o overwrite with known/random hex value in order to eliminate any previous data.
340o forensically sterile media : use the known character 0x00 to overwrite previous data
341o validate by running a checksum-64 hash against the media
342 Use validated forensic backup practices
343• Forensic backups:
344 “Forensic copy”: original media copied directly to target media (same or larger capacity), any
345remaining space is overwritten with 0x00. Also called disk-to-disk.
346 “Forensic evidence files”: one or more files containing a bit-for-bit copy of the data found on the source
347media. Also called disk-to-file.
348o Linux dd (data dump) uses .001 .002 etc. file extensions
349o EnCase Evidence File use .E01, .E02 etc. file extensions
35033
351WRITE-BLOCKING
352Hardware
353Software
354• Relatively reliable only for
355USB drives
356• Simple registry hack for
357blocking USB ports
358Firmware-based
359• Write-protect tabs found on flash
360memory card and USB drives
361• CD-R and DVD-R media and drives
362• Mostly used for USB drives
363• Not recommended unless other
364options aren’t available
36534
366THE IMAGING(CLONING) PROCESS
367 Software imaging tools Hard-drive duplicator
368• Through a write-blocking device
369- Must have direct access to the hard-drive
370- Needs to be connected to a computer
371• Directly from the target system, after
372booting from an external device
373• Standalone forensic acquisition
374• Reliable and fast (9GB/m)
375• Disk-to-disk or disk-to-file options
376• Needs dedicated target hard-drives
377• Expensive
37835
379ORDER OF VOLATILITY
380Registers, cache
381Temporary file systems
382Remote logging data
383Archival media
384Physical configuration, network
385topology
386Disk
387Routing table, ARP cache,
388process table, memory
389Lab 2
390Practical exercise:
391FTK Imager
39237
393 In recent years, there has been more concern about loss of
394 Personal identity information (PII) and trade secrets caused by computer theft
395 Of particular concern is the theft of laptop computers and other handheld devices
396 To help prevent loss of information, software vendors now provide whole disk
397encryption
39838
399 Current whole disk encryption tools offer the following features:
400 Preboot authentication
401 Full or partial disk encryption with secure hibernation
402 Advanced encryption algorithms
403 Key management function
40439
405 Whole disk encryption tools encrypt each sector of a drive separately
406 Many of these tools encrypt the drive’s boot sector
407 To prevent any efforts to bypass the secured drive’s partition
408 To examine an encrypted drive, decrypt it first
409 Run a vendor-specific program to decrypt the drive
410 Many vendors use a bootable CD or USB drive that prompts for a one-time passphrase
41140
412 Available Vista Enterprise/Ultimate, Windows 7 and 8
413Professional/Enterprise, and Server 08 and 12
414 Hardware and software requirements
415 A computer capable of running Windows Vista or later
416 The TPM microchip, version 1.2 or newer
417 A computer BIOS compliant with Trusted Computing Group (TCG)
418 Two NTFS partitions
419 The BIOS configured so that the hard drive boots first before checking
420other bootable peripherals
42141
422 Some available third-party WDE utilities:
423 PGP Full Disk Encryption
424 Voltage SecureFile
425 Utimaco SafeGuard Easy
426 Jetico BestCrypt Volume Encryption
427 TrueCrypt
42842
429• Encrypted Disk Detector checks the local physical drives on a system for TrueCrypt, PGP®, or Bitlocker®
430encrypted volumes. If no disk encryption signatures are found in the MBR, EDD also displays the OEM ID
431and, where applicable, the Volume Label for partitions on that drive, checking for Bitlocker® volumes.
432 check for encrypted volumes on a computer system during incident response
433• The decision can then be made to investigate further and determine whether a live acquisition needs to be
434made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled.
435Lab 3
436Practical exercise:
437edd.exe
438Encrypted Disk Detector checks the local physical drives on a system
439for TrueCrypt, PGP®, or Bitlocker® encrypted volumes. If no disk
440encryption signatures are found in the MBR, EDD also displays the
441OEM ID and, where applicable, the Volume Label for partitions on
442that drive, checking for Bitlocker® volumes.
44344
444Part 2
445L e c t o r d r. i n g . A l i n P U N C I O I U
446Criminalitatea informatică, colectarea și investigarea probelor
44745
448• In every memory storage device, the data is written in the form of a magnetic field or electrical
449charge that represents an on or off value which we know of as a binary digit or bit.
450• In order to make data storage device useable, some form of order needs to be applied to it, which
451refers to as the Logical Disk Structure.
452• In order for data to be written to a disk, there are three processes that must be undertaken:
453- Low-level formatting
454- Partitioning
455- High-level formatting
456LOGICAL DISK STRUCTURES
457Why do we need Logical Disk Structures?
45846
459• Writing data in a circular pattern on a disk generates a problem which is
460locating where the data begins and ends. So, in order to overcome this
461problem the track is divided into smaller chunks, known as Sectors.
462• A sector is the smallest storage unit that is writeable by a hard drive. The
463most common physical sector size for hard disks is 520 bytes (total), although
464only 512 bytes are used for storage of data. The remaining eight bytes are used
465for error checking.
466• The process of creating Sectors is called Low level formatting and can only be
467done by the manufacturer.
468• A SSD doesn’t have physical platters and tracks, the sector structure is created
469by the manufacturer.
470LOGICAL DISK STRUCTURES
471Low-level formatting
47247
473• Clusters: the smallest unit of disk space that can be allocated to a
474file, which is why clusters are often called allocation units.
475• Consist of one or more consecutive sectors.
476• Every file must be allocated an integer number of clusters.
477• If a volume uses clusters that contain 4,096 bytes, an 4,000 byte file
478will use one cluster, or 4096 bytes on the disk. On the other hand, a
4795,000 byte file will use two clusters, or 8,192 bytes on the disk.
480• Wasted space is part of the process and is called slack space
481LOGICAL DISK STRUCTURES
482Low-level formatting
48348
484• Involves logically dividing the hard disk up into a number of pieces with each piece
485being a partition.
486• Partitioning is typically the first step of preparing a newly manufactured disk, before
487any files or directories have been created.
488• The disk stores the information about the partitions’ locations and sizes in an area
489known as the partition table that the operating system reads before any other part of
490the disk.
491• Each partition then appears in the operating system as a distinct "logical" disk that
492uses part of the actual disk
493• There are a number of ways to create partitions on a hard disk, this can involve the
494use of standard tools such as Diskpart within MS Windows or third party tools such as
495Partition Magic.
496LOGICAL DISK STRUCTURES
497Partitioning
49849
499• After low-level formatting is complete, we have a disk
500with tracks and sectors but nothing written on it.
501• High-level formatting is the process of writing the file
502system structures on the disk, such as the master boot
503record and the file allocation tables, that let the disk be
504used for storing programs and data
505• High-level formatting is done after the hard disk has been
506partitioned, even if only one partition is to be used
507LOGICAL DISK STRUCTURES
508High-level formatting
50950
510• Begins in the very first physical sector of the hard drive, usually referred to PS0 or Physical Sector 0. Typically
511the MBR will only fill one sector or 512 bytes of information; the remaining sectors in the track are reserved.
512• Due to the increased size of physical hard drives, it is not uncommon to see a single sector containing 1024,
5132048, 4096 bytes per sector.
514• The first 446 bytes (0 to 445) of information are actual programming code or boot code. This programming
515code identifies the drive and instruct the system on the structure of the drive.
516• The code will vary upon the operating system used to setup the MBR. The next 64 bytes consist of the Master
517Partition Table (four 16 byte-entries). The last two bytes of the sector are always hexadecimal 55 AA
518(0x55AA)(bytes 510 and 511).
519• Without an MBR, the computer would stop after the BIOS finished executing its data because it wouldn’t
520know where to go next to find its instruction about what to load next.
521Master Boot Record
522LOGICAL DISK STRUCTURES
52351
524• MBR in Hexadecimal:
525LOGICAL DISK STRUCTURES
52652
527• The area highlighted represents the offset 446 – 509 (64 bytes) and relates to the “Master Partition Table
528”(MPT) entries
529• At the end of the MBR is a 2 byte structure called a Signature Word or End of Sector marker, which should
530always be set to 0x55AA.
531LOGICAL DISK STRUCTURES
532Master Boot Record
53353
534• The MPT is 64 bytes in length, and contains four 16 bytes entries. Each striped line below represents a single partition table
535entry:
536• Allows for up to four “Primary Partitions” on a drive – a Primary Partition is a partition that can contain the computer boot
537files. To overcome the limitations of only having four partitions, a different type of partition is allowed, this is known as an
538“Extended Primary Partition”
539• There must be at least one Primary Partition within the MBR and only primary partitions are bootable (can be used to boot the
540computer to an operating system). The Extended Primary Partitions can then be further split into several smaller portions, thus
541allowing up to a total of twenty-four partition, each partition assigned an alphabetical drive letter (drive letter A and B are
542reserved for floppy disk).
543LOGICAL DISK STRUCTURES
544Master Partition Table
54554
546• After more than 30 years of supremacy, the BIOS – PC’s ‘Basic Input Output System’ – has been replaced. Taking its
547place is UEFI.
548• UEFI, or Unified Extensible Firmware Interface, is the complete re-engineering of a computer boot environment. While
549the BIOS is fundamentally a solid piece of firmware, UEFI is a programmable software interface that sits on top of a
550computer’s hardware and firmware.
551• UEFI uses a partition system called the GUID Partition Table (GPT). GUID stands for Globally Unique Identifier.
552• The GPT Partition table can support up to 128 partitions and uses 64-bit LBA addresses (LBA=Logical Block Addressing
553where every sector in the drive is given a linear address – the first sector is Sector 0 and they are numbered
554sequentially to the end of the drive).
555• The GPT system has the ability to support very large hard drives, which are becoming increasingly available and cheap
556to purchase.
557LOGICAL DISK STRUCTURES
558GPT Partitions
55955
560• As shown in the figure, there are five major parts to the GPT partitioned disk:
561– The Protective MBR
562– Primary GUID partition table header
563– GUID partition entries
564– Partition area
565– Backup Area
566LOGICAL DISK STRUCTURES
567GPT Partitions
56856
569• Protective MBR is located at the very beginning of the disk, Physical Sector 0, and like the previous system it is
570usually 512 bytes in length. There will be no Boot Code present in the Protective MBR sector.
571• The primary GUID Partition Table Header will always immediately follow the MBR in Physical Sector 1. The
572GPT header always begins with the 8-byte EDI signature string: 0x45 0x46 0x49 0x20 0x50 0x41 0x52 0x54
573(ASCII: “EFI PART”). Using the information contained in the GPT header it is possible to determine the layout of
574the disk. This includes the location of the partition table, partition data areas and backup copies.
575• The partition tables are usually located in Physical Sector 2. Each partition entry is 128 bytes in length and the
576entry provides much information about the partition.
577• GPT Backup – one of the advantages of using a GUID partition structure is the additional resilience it provides.
578Located at the end of the disk is an entire backup of the Primary partition entries and the GPT Header.
579LOGICAL DISK STRUCTURES
580GPT Partitions
58157
582 File system
583 Gives OS a road map to data on a disk
584 Type of file system an OS uses determines how data is stored on the disk
585 When you need to access a suspect’s computer to acquire or inspect data
586 You should be familiar with both the computer’s OS and file systems
58758
588• Data structures - When working with NTFS, it can appear that a huge amount of information is all placed
589together, however, it is actually organized in groups called “data structures”.
590• Everything is a file – An NTFS formatted partition does not have a reserved system area that is distinguished
591from a data area. In NTFS, all data is stored as files, including system data. System data are referred to as
592Metadata Files. Metadata is loosely defined as “data about data”. Metadata files are what actually make up the
593NTFS File System. They are files that are hidden to users on a live NTFS volume, and are not accessible logically
594through the file system itself.
595• The most important metadata file in an NTFS volume is the Master File Table ($MFT). NTFS uses the $MFT to
596track and store all information about every file within the volume – including itself. NTFS uses additional
597metadata to track storage space allocation, security issues, accessibility permissions, journaling and encryption.
598NEW TECHNOLOGY FILE SYSTEM
599NTFS Essentials
60059
601• There are two types of Boot Records for a partitioned and formatted drive:
6021. The Master Boot Record (MBR) is created when you create the first
603partition on the hard disk and is probably the most important data
604structure on the disk. It is located in the zero sector of the physical disk.
6052. The Volume Boot Record (VBR) is always located in the zero sector of
606the logical volume. The VBR is created during the high-level formatting
607process of the volume. The VBR of a primary partition will contain boot
608code needed to continue the boot process if that partition is set as the
609active partition.
610 It is important to note: removable media not always have an MBR, in fact,
611smaller media commonly have only a VBR. In these cases the zero sector of the
612physical disk is the same as the zero sector of the logical volume
613NEW TECHNOLOGY FILE SYSTEM
614Volume Boot Record
61560
616• LIKE ALL OTHER MICROSOFT FILE SYSTEMS, THE FIRST SECTOR
617OF AN NTFS FORMATTED VOLUME CONTAINS A VOLUME
618BOOT RECORD. THE VBR IS ACTUALLY A SYSTEM FILE CALLED
619$BOOT.
620• THE $BOOT FILE SERVES THE SAME PURPOSE AS OTHER VBR,
621IN THAT IT CONTAINS VITAL VOLUME AND FILE SYSTEM
622PARAMETERS, POINTERS TO FILE SYSTEM COMPONENTS
623AND COMPUTER BOOT (BOOTSTRAP) CODE.
624• THE KEY ENTRIES IN THE $BOOT INDICATE THE CLUSTER SIZE,
625THE SIZE OF THE VOLUME, THE LOCATION OF THE MASTER
626FILE TABLE AND THE LOCATION OF THE BACK-UP COPY OF
627THE MASTER FILE TABLE.
628• THE VBR IS SO IMPORTANT THAT A SECOND COPY IS LOCATED
629AT THE END OF THE VOLUME.
630NEW TECHNOLOGY FILE SYSTEM
631Volume Boot Record
63261
633• NTFS uses Master File Table to track every file within the volume. It does this by having (at least) one entry for
634each file, called a File Record, which is given a unique number. The MFT is in essence a relational database table,
635containing various attributes about different files. It acts as the "starting point" and central management feature of
636an NTFS volume
637• The first file record listed in $MFT is for the $MFT itself, which describes its location and size on the NTFS volume.
638Therefore, the $MFT needs to be processed in order to know its own size and location on the disk.
639• All files on an NTFS volume, including the root directory, have a record entry in the $MFT describing their size and
640location in the same manner.
641NEW TECHNOLOGY FILE SYSTEM
642Master File Table
64362
644• The first 16 entries in the Master File Table are metadata files. These metadata files have different roles within
645the NTFS, and are listed within the $MFT in the order shown below:
646NEW TECHNOLOGY FILE SYSTEM
647Master File Table
64863
649NEW TECHNOLOGY FILE SYSTEM
65064
651• The MFT lists each file in individual entries called File Records. Every file record has its own record number,
652which is used as an identification number for the file that the file records refers to. As files are added to the
653volume, a record for each file is added in sequential order within the $MFT. If a file is deleted, the file record
654that was used to track that file becomes unused; the $MFT will reuse “deleted” records before creating new
655records. As a result, ‘deleted’ MFT records can be over-written very quickly.
656• Currently, the length of each record in the $MFT is 1024 bytes. This value is found in the boot sector, and may
657change with a future revision of NTFS.
658• A file record is divided into separate blocks of data that contain information about the file record itself and the
659file or directory to which that file record points to. Information about the file or folder is stored in discrete
660blocks called “Attributes”. Each attribute stores a certain type of information about the file.
661NEW TECHNOLOGY FILE SYSTEM
662File Records
66365
664• The signature (beginning) of a file record is “FILE” while the end
665is marked with 0xFF FF FF FF.
666• The structure of the Master File Table and the structure of an
667individual File Record could be visualized as shown bellow:
668NEW TECHNOLOGY FILE SYSTEM
669File Records
67066
671• Attributes come in different types and contain different information about the file, or the file content itself. Attributes
672have their own data structure, which comprises of headers and content.
673• A visual representation of the internal structure of an attribute is shown in the picture bellow:
674NEW TECHNOLOGY FILE SYSTEM
675Attributes
676Attribute
677Identifier
678Attribute Name Description
67910 00 00 00 $Standard_Information Contains File permissions, time stamps, security and administrative
680information.
68120 00 00 00 $Attribute List Location of all attributes that do not fit in a single file record entry.
68230 00 00 00 $File_Name The name of the file.
68340 00 00 00 $Volume_Version Volume Version
68440 00 00 00 $Object_ID Contains a Globally Unique Identifier for the file
68550 00 00 00 $Security_Descriptor Access control and security properties of the file
68660 00 00 00 $Volume_Name These two attributes contain the volume label and NTFS version information
68770 00 00 00 $Volume_Information
68880 00 00 00 $Data The actual file ‘s data
68990 00 00 00 $Index_Root List of directory’s child files
690A0 00 00 00 $Index_Allocation Points to the location the Index Buffers of a large directory
691B0 00 00 00 $Bitmap Tracks the allocation status
692C0 00 00 00 $Symbolic_Link Soft link information
693D0 00 00 00 $Reparse_Point Similar to a soft link
694E0 00 00 00 $EA_Information Allows compatibility with HPFS
69500 01 00 00 $Logged_Utility_Stream Information and keys for encryption attributes
696Lab 4
697Practical exercise:
698FTK Imager Analyze $MFT
699MFTECmd
700https://ericzimmerman.github.io/#!index.md
70168
702• Any unused space between the end of the logical file and the end of the allocated
703space is handled in two different ways:
704– The space between the end of a file’s content and the end of the sector is
705padded with zeros (0x00), commonly called RAM slack
706– The remaining sector within the cluster are left untouched – the content in this
707area belonged to a file that previously used the cluster and has since been
708deleted. It is commonly called Residual or Drive Slack, and is not part of the
709current file.
710NEW TECHNOLOGY FILE SYSTEM
711File slack
71269
713• When a file/directory is created, the following series of steps occur:
714– It is assigned a file record in the $MFT
715– The bitmap for the $MFT is changed to show that this record is allocated
716– The record header allocation status flag identifies it as an allocated file/directory
717– Attributes are written to the $MFT
718• When a file/directory is deleted, the following series of steps occur:
719– The record header sequence count is incremented by one
720– The record header allocation status flag identifies it as an unallocated file/directory
721– The bitmap for the $MFT is changed to show that this file record is unallocated
722• The remainder of the file record is left unchanged until the file record is re-used. To recover a single file, it is
723simply a matter of reversing the deletion steps.
724NEW TECHNOLOGY FILE SYSTEM
725File deletion and recovery
72670
727• Quick format
728– In Windows operating systems, a quick format will over-write the allocated
729area of the new $MFT, which is determined by cluster size. Previous $MFT
730records are available for recovery outside the current $MFT. The format
731process will also over-write the $Boot file, reset the $Bitmap file to show all
732clusters are unallocated and leave the remaining data intact.
733• Full format
734– A full format over-writes every sector in the volume (instead of just reading
735every sector) and then re-writes the NTFS metadata files to construct the
736volume file system.
737NEW TECHNOLOGY FILE SYSTEM
738Volume format
73971
740FIND DELETED FILES USING FTK IMAGER OR WINHEX
74172
742- From $MFT press CTRL+F keys to open the Find function.
743- Search for common “JPG” or “TXT” files
744- Each $MFT entry starts with a record header (FILE0)
745SEARCHING FOR INTERESTING FILES (DELETED OR EXISTING ONES)
74673
747• $DATA attribute starts with 0x80 00 00 00
748– From the magic number search for binary 80 00 00 00
749– The next 4 bytes represents the $DATA length. In this case , the length is 0 x 48 00 00 00 (72 in decimal)
750– The code after 0 x 48 00 00 00 is 0 x 01 00
75101 00 means existing file ; 00 00 means deleted file; 03 00 means existing folder
75204 00 means deleted folder
753HOW TO RECOVER DATA
754Lab 5
755Practical exercise:
756FTK Imager Deleted files
75775
758File extensions, headers and data
759carving
76076
761FILE EXTENSIONS
762 Short abbreviations used by an OS to associate files with compatible applications
763 File-Application associations can be modified by end-users
764 Extensions can be modified by end-users – hard to identify files using just their extension
765 DOS Short File naming convention (SFN): 8 characters + “.” + 3 characters
766- Used in modern Microsoft OS just as an alternate to long filenames, for
767compatibility purposes.
768 Long Filename (LFN): maximum 255 characters
769- Allows for file extensions with 4 or more characters.
770- The maximum default file path length (260 characters) needs to be taken into consideration
771change
772extension
773file opened by default with
774Notepad
77577
776FILE HEADERS (FILE SIGNATURES / MAGIC NUMBER)
777 Usually files include several bytes of data that designate their specific file type
778 Located at the beginning of the file, this “header” is constant for every type of file
779Compressed archive file
780Executable file
781JPEG file
782Microsoft Compound Document File (DOC,PPT,XLS)
783 Headers are useful when trying to recover data from unallocated space
784 Most forensic tools can perform signature analysis of files
785 Some files also have footers, that will show exactly where the file ends
786No file header
78778
788DATA CARVING
789 Technique to recover files and fragments of files from the unallocated space of a hard disk
790 Utilizing the file header we can determine the exact start of the file.
791 Some files also have footers, that will show exactly where the file ends.
792 Fragmentation can impact the recovery of a file from unallocated space.
793JPEG file footer (0xFFD9)
79479
795File metadata
796Documents
797Images
79880
799DOCUMENT METADATA – MICROSOFT OFFICE
800 Metadata is “data about data”
801 Contains ownership information of which users are unaware
802 Date/time less volatile than the operating system’s file date/time
803 Author: currently logged in user
804 Last saved by: registered owner
805• Not historical
806• It’s hidden in password-protected documents
807• Easily altered or removed
808 Drawbacks
809Removing personal information
81081 DOCUMENT METADATA - ADOBE PDF
811• Name of author
812• Date of file creation/modification
813• Subject and keywords
814• Application used to create the file
815• Whether the file was created by
816converting another format to PDF
817 Metadata can include:
818 Detailed metadata is available by opening the file in Adobe
819Reader , choosing “File” and then “Properties”
820 The date and time in the PDF file are reliable, regardless of the
821examiner’s time setting on the forensic machine
82282
823DOCUMENT METADATA – PDF PROPERTIES
824Additional
825metadata
82683
827IMAGE METADATA
828 Image files – still and video – contain metadata
829 JPEG/TIFF files usually contain additional information as EXIF (Exchangeable Image File Format)
830 EXIF contains date/time, make and model of the camera, artist (device owner) etc.
831 Mobile phones can also embed GPS data in image files
832 A JPEG file that doesn’t contain EXIF data has a file header of hex characters FF D8 FF E0
833 A JPEG file that contains EXIF data has a file header of hex characters FF D8 FF E1
83484
835IMAGE METADATA - EXIF
836EXIF data extracted
837using IrfanView
838EXIF data from File
839Properties
84085
841Compound files
84286
843COMPOUND FILES
844Single/split files that contain or appear to contain separate files when opened with the right application
845 Canister type:
846 Database files: SQLite Database Files (e.g. Skype artifacts)
847• .zip compression files, .
848• .pst files holding Microsoft Outlook emails
84987
850MICROSOFT OFFICE FILE FORMATS
851 Two types of Embedded Files Technology, referred to as OLE (Object Link and Embedding)
852 Compound File Binary Format (pre-Office 2007)
853 XML office format: .docx, .pptx, .xlsx file extensions, actually ZIP files
854Embedded multimedia files
855Text data
856Lab 6
857Practical
858exercise: Autopsy
85989
860Windows Artifacts
86190
862Windows Artifacts:
863• Common Windows folder structures
86491
865• In the Windows Operating System, after the installation is completed, there is a standard set of folder structures and special files
866created:
867– PROGRAM FILES – contains most of the applications installed on the system
868 Program Files location:
869 The Program Files (x86) folder exists only in the 64-bit version of Windows 7, 8 and 10 operating system environment. The
870Program Files (x86) is the default location for all the 32-bit applications
871WINDOWS ARTIFACTS
872Common Windows folder structures
873Folder location Windows version
874C:\Program Files 7, 8, 10
875C:\Program Files (x86) 7, 8, 10
876C:\Program Data 7, 8
87792
878• User Account Profiles – contains all of the configuration settings and files for each individual user account on a Windows system. This
879includes settings for all of the application software on the system that are specific to that user account.
880• By default, each user who logs on to a Windows system has a user profile. This profile is created when the user logs on for the first time.
881 Location:
882Application Data – contains application-specific data
883 Location
884WINDOWS ARTIFACTS
885Common Windows folder structures
886Folder path Windows version
887C:\Users\%UserName% 7, 8, 10
888Location Windows version
889C:\Users\%UserName%/AppData 7, 8, 10
89093
891• There are three subfolders for AppData: Local, Local Low and Roaming.
892• The Local and Local Low folders contain application data that does not roam with the user. The LocalLow folder allows
893applications to install folders and files here when they do not meet the security credentials to run with elevated privileges. These
894applications generally do not have write privileges to the user’s profile. This addition is part of the new enhanced security model
895and can help keep unwanted malware programs from installing in the general profile
896• The roaming folder contains specific data such as custom dictionaries, which are independent of the machine and should roam
897with the user profile
898WINDOWS ARTIFACTS
899Common Windows folder structures
90094
901Windows Artifacts:
902• Registry
90395
904 Registry
905 A database that stores hardware and software configuration
906information, network connections, user preferences, and setup
907information
908 To view the Registry, you can use:
909 Regedit (Registry Editor) program for Windows 9x systems
910 Regedt32 for Windows 2000, XP, and Vista
911 Both utilities can be used for Windows 7 and 8
91296
913 Registry terminology:
914 Registry
915 Registry Editor
916 HKEY
917 Key
918 Subkey
919 Branch
920 Value
921 Default value
922 Hives
92397
924Information that can be recovered include:
925 System Configuration
926 Devices on the System
927 User Names
928 Personal Settings and Browser Preferences
929 Web Browsing Activity
930 Files Opened
931 Programs Executed
932 Passwords
93398
934 Root Keys
935 HKEY_CLASSES_ROOT (HKCR)
936 Contains information in order that the correct program opens when executing a
937file with Windows Explorer.
938 HKEY_CURRENT_USER (HKCU)
939 Contains the profile (settings, etc) about the user that is logged in.
940 HKEY_LOCAL_MACHINE (HKLM)
941 Contains system-wide hardware settings and configuration information.
942 HKEY_USERS (HKU)
943 Contains the root of all user profiles that exist on the system.
944 HKEY_CURRENT_CONFIG (HKCC)
945 Contains information about the hardware profile used by the computer during
946start up.
947 Sub Keys – These are essentially sub directories that exist under the
948Root Keys.
94999
950 HKEY_USERS – all loaded user data
951 HKEY_CURRENT_USER – currently logged on user (NTUSER.DAT)
952 HKEY_LOCAL_MACHINE – array of software and hardware settings
953 HKEY_CURRENT_CONFIG – hardware and software settings at startup
954 HKEY_CLASSES_ROOT – contains information about application
955needs to be used to open files
956100
957101
958102
959103
960104
961A “Most Recently Used List” contains entries made due to specific actions performed by the
962user. There are numerous MRU list locations throughout various Registry keys.
963These lists are maintained in case the user returns to them in the future. Essentially, their
964function is similar to how the history and cookies act in a web browser.
965105
966106
967107
968108
969Which hive file will be analyzed
970Where to put the report
971Which Plugins file to use
972The RegRipper is an open-source application for extracting, correlating, and displaying specific information
973from Registry hive files from the Windows NT (2000, XP, 2003, Vista and 7) family of operating systems.
974109
975HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\Com
976puterName
977Computer
978name
979HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS BIOS version
980HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Processor info
981HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows Shutdown time
982HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Users profiles
983Registry key Information
984HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup software
985HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications Application on
986the system
987HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\N
988la\Cache\Intranet
989Intranet network
990connected
991HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU Open files and
992commands ran
993on the machine
994HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
995HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
996HKLM\Software\Microsoft\Windows\CurrentVersion\Run
997HKCU\Software\Microsoft\Windows\CurrentVersion\Run
998HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
999HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
1000Locations
1001checked by
1002Windows at
1003startup for
1004changes
1005110
1006Lab 7
1007PRACTICAL EXERCISE:
1008REGRIPPER AND REGISTRY
1009EXPLORER
1010Collect user access information
1011Identify the Microsoft Version
1012Current control set
1013Computer name
1014Timezone Information
1015Last access time
1016Network interfaces and types
1017Shares and online caching
1018System boot AutoStart services
1019Shutdown information
1020Ntuser.dat
1021Recent Documents
1022112
1023Part 3
1024L e c t o r d r. i n g . A l i n P U N C I O I U
1025Criminalitatea informatică, colectarea și investigarea probelor
1026113
1027Windows Artifacts:
1028• Shell Link Files
1029• User assist
1030• Shellbags
1031• System Resource Usage Monitor (SRUM)
1032• Jump Lists
1033• Prefetch / Superfetch
1034114
1035• A shell link file is commonly referred to as a link file or shortcut. It is a special file that contains “links” or ”pointers” to
1036other resources, for example, programs, data files and folders.
1037• During an examination of a Windows system many link files (.lnk) will be found. These files contain very useful
1038information about the target, including:
1039– File Attributes
1040– MAC Times
1041– File Size
1042– Volume Type
1043– Volume Serial Number
1044– Volume Label
1045– Original File Path
1046– A useful and free tool for parsing .Lnk files is Windows File Analyzer - http://mitec.cz/wfa.html
1047WINDOWS ARTIFACTS
1048Shell Link Files
1049115
1050• The best thing about a Link file is that it will often demonstrate a user’s knowledge of a file and his/her interaction with that file.
1051• A link file’s embedded time becomes very powerful when the examiner can check the MAC times of the target within the file system – any
1052date and time entries that are after those embedded within the link file show that a user has interacted with the file
1053• There are many forensics implications relating to the content of these files. The Volume Serial Number can be used to tie a specific thumb
1054drive, USB drive, memory card or other removable media to a specific computer system.
1055• By default, when a file or document is opened in Windows, a link (.lnk) file is created in the Recent folder
1056WINDOWS ARTIFACTS
1057Shell Link Files
1058116
1059• Recent items .lnk file creation can be disabled by the user. It can be done for an individual user in their NTUser.dat at:
1060– Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory with a dword value of 0000 0001
1061WINDOWS ARTIFACTS
1062Shell Link Files
1063117
1064• "Shellbags" is a commonly used term to describe a collection of registry keys that allow
1065the Windows operating system to track user window viewing preferences specific to
1066Windows Explorer. These keys can contain a wealth of information relevant for a forensic
1067investigation and can help paint a clearer picture of user activity on a machine. For
1068example, the following information can be found in Shellbags:
1069– Windows sizes and preferences
1070– Icon and folder view settings
1071– Metadata such as MAC timestamps
1072– Most recently used files and file type (zip, directory, installer)
1073– Files, folders, zip files, installers that existed at one point on the system (even if deleted).
1074– Network Shares and folders within the shares
1075– Metadata associated with any of the above types which may include timestamps and absolute paths
1076WINDOWS ARTIFACTS
1077Shellbags
1078118
1079• The UserAssist Registry key keeps track of programs executed from the explorer shell
1080(Desktop) specifically the “GUI” environment the user interacts with. Unlike prefetch files,
1081UserAssist entries can be correlated to a specific user. The UserAssist registry key at:
1082– NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist
1083• It is the key used to track file execution and the execution of shortcuts related to
1084executed files. To do this, it uses Globally Unique Identifiers (GUID) within the UserAssist
1085key:
1086– CEBFF5CD → Executable File Execu?on
1087– F4E57C4B → Shortcut File Execu?on
1088WINDOWS ARTIFACTS
1089User assist
1090119
1091• The data in the UserAssist key is ROT-13 encoded. ROT-13 is a simple substitution cipher using the English
1092standard alphabet (26 characters), replacing an alphabetical letter with another letter 13 letters away.
1093– Example A → Rot-13 → N
1094• This key is evidence of a user executing a binary through interaction with Explorer.
1095• Useful Information that is contained within this key includes:
1096– Frequency of program execution
1097– Key values to distinguish entries
1098– Evidence of deleted/moved programs
1099– Name including Path (Rot13)
1100– Run Counter – How many times the program was run
1101– Last Run Time
1102• Here is an example from regedit.exe showing a UserAssist entry, and the ROT-13 decodeder.
1103WINDOWS ARTIFACTS
1104User assist
1105120
1106• Amcache and Shimcache can provide a timeline of which program was executed and when it was first run
1107and last modified
1108• In addition, these artifacts provide program information regarding the file path, size, and hash depending
1109on the OS version.
1110– C:\Windows\AppCompat\Programs\Amcache.hve
1111• To sum up, the information it contains includes: Filename, Standard Information Attribute Last Modified
1112date and time, and the SHA1 hash of the file. (https://github.com/keydet89/RegRipper2.8)
1113WINDOWS ARTIFACTS
1114Amcache and Shimcache
1115121
1116• Shimcache, also known as AppCompatCache, is a component of the Application Compatibility Database, which was
1117created by Microsoft (beginning in Windows XP) and used by the operating system to identify application
1118compatibility issues.
1119• The cache stores various file metadata depending on the operating system, such as:
1120– File Full Path
1121– File Size
1122– $Standard_Information (SI) Last Modified time
1123– Shimcache Last Updated time
1124– Process Execution Flag
1125• Similar to a log file, the Shimcache also “rolls” data, meaning that the oldest data is replaced by new entries.
1126The amount of data retained varies by operating system
1127• The Registry Key related to this cache is located at
1128– HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache
1129• Shimcache can be investigated using ShimCacheParser.py, by Mandiant:
1130– https://github.com/mandiant/ShimCacheParser
1131WINDOWS ARTIFACTS
1132Amcache and Shimcache
1133122
1134• SRUM was first introduced in Windows 8, and was a new feature designed to track system resource utilization
1135such as CPU cycles, network activity, power consumption, etc. Analysts can use the data collected by SRUM to
1136paint a picture of a user’s activity, and even correlate that activity with network-related events, data transfer,
1137processes, and more
1138– Network Connectivity
1139– Network Data usage
1140– Application Resource usage
1141– Windows push notifications
1142– Energy usage
1143• Registry is temporary location for holding data
1144– HKLM\SOFTWARE \Microsoft\Windows NT\CurrentVersion\SRUM\Extensions
1145• Data is periodically moved to C:\Windows\System32\sru\SRUDB.dat
1146WINDOWS ARTIFACTS
1147System Resource Usage Monitor (SRUM)
1148123
1149• Windows 7 introduced a new feature called “Jump Lists”, which is essentially a list of every file that has been
1150opened (or attempted to open) by a particular application. It’s similar to the “Recent” folder, except that each
1151list only applies to one program. The Jump List feature provides the user with a graphical interface associated with
1152each installed application which lists files that have been previously accessed by that application.
1153• This artifact often provides significant insight to user activity and be especially beneficial if entries in the Recent
1154folder have been delete, or even if the application has been deleted.
1155• Clearing the items in the Recent folder does not eliminate the Jump List data unless the user first reveals the
1156hidden folders containing the Jump Lists data and manually delete them, which is not easy as they are “Super
1157Hidden”.
1158• There are two main types of Jump Lists:
1159– Automatic – this Jump List is automatically populated by the system
1160– Custom – this Jump List is maintained by the individual application
1161WINDOWS ARTIFACTS
1162Jump Lists
1163124
1164• Jump List data for all applications is stored in the users profile path: %UserProfile%\AppData\Roaming\Microsoft\Windows\Recent
1165• When this folder is viewed with a forensic tool, additional folders appear:
1166– %UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
1167– %UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
1168WINDOWS ARTIFACTS
1169Jump Lists
1170125
1171• The recent item data from the Jump Lists populate those two folders.
1172Each program will have its own file name, referred to as a ”Jump List ID”.
1173By examining each file with a text editor, it can be determined which file
1174links correspond to which program’s Jump List entry.
1175• More jump list IDs can be found at:
1176http://www.forensicswiki.org/wiki/List_of_Jump_List_IDs.
1177• A useful tool is available for examining “lists”, called JumpListView and it’s
1178available at: http://www.nirsoft.net/utils/jump_lists_view.html
1179• JumpListView will display a list of all items in the Jump List, their path,
1180date and time and the entry number for each item.
1181WINDOWS ARTIFACTS
1182Jump Lists
1183126
1184• Prefetching speeds up computer performance by bringing the data
1185and code pages of programs used during boot process and in
1186subsequent program launches into memory from the disk before that
1187data and code is actually demanded.
1188• The prefetch files that are created as a result of the tracing process
1189that occurs are located in the folder %WINDOWS%\Prefetch
1190• The file’s name is the name of the application to which the trace
1191applies followed by a dash and the hexadecimal representation of a
1192hash of the file’s path ending with a .PF file extension
1193• The prefetch folder will never grow larger than 129 entries
1194• Looking at the actual content of the .PF file, the name of the
1195executable file being traced is located at offset 10h an is visible in
1196plaintext. The file will also contain the run count, last run date and a
1197list of files used by the application when it loads.
1198WINDOWS ARTIFACTS
1199Prefetch / Superfetch
1200127
1201• Superfetch was introduced in Windows Vista. It doesn’t replace prefetch files but adds additional functionality by keeping track of when and how
1202often a program is run. It has more granularity and better algorithms to better anticipate what data will be needed.
1203• In a forensic examination, prefetch files can be used to help determine when an application was last run. This is useful for creating a timeline of
1204events or if attempting to determine if a virus or other exploit is active on a computer
1205• Examining the files and directories accessed during the launch of an application can be very beneficial because it can reveal hidden directories,
1206point to user accounts or show that an application was accessed from an external storage drive.
1207WINDOWS ARTIFACTS
1208Prefetch / Superfetch
1209128
1210• When using, mstsc.exe, RDP client on Windows, cache is stored within user profile
1211• The cache consists of compressed bitmap data that needs to be extracted before being able to view it.
1212• The purpose of the cache, is to improve performance by storing sections of the screen that infrequently
1213change.
1214• Location: %localappdata%\microsoft\Terminal Server Client\Cache
1215• To analyze the files a few tools can be used:
1216• https://www.dfir.training/tools/forensic-utilities-windows/rdp-cache/1145-cqrdcache/visit
1217• https://www.dfir.training/tools/forensic-utilities-windows/rdp-cache/1143-anssi-fr-bmc-tools/visit
1218RDP CACHE
1219129
1220RDP CACHE
1221Lab 8
1222PRACTICAL EXERCISE:
1223PROGRAM EXECUTION
1224Prefetch
1225Amcache
1226Srum database
1227LEcmd.exe
1228JumpListExplorer
1229Appcompatcacheparser
1230UserAssist
1231MUIcache
1232Exfil
1233ShellbagsExplorer
1234RunMRU
1235Remote Desktop
1236131
1237Windows Artifacts:
1238• Event Logs
1239132
1240• Microsoft defines an “event” as any occurrence that is potentially
1241noteworthy either to the user, the operating system or to an
1242application.
1243• The logs are stored in C:\Windows\system32\winevt\logs
1244• Event logs have the extension .evtx and utilize the .xml format
1245• Events are categorized into 2 main classes: Windows Logs and
1246Application and Services Logs
1247WINDOWS ARTIFACTS
1248Event Logs
1249133
1250• Windows Logs:
1251– System: contains records of system processes and device drive activity. Events include such thing as device drivers
1252that fail to start or stop properly, hardware failures, duplicate IP addresses and the starting/stopping/pausing of
1253system processes.
1254– Application: contains log records of events related to the application software installed on the system. The events
1255logged include errors, warnings and any other information an application is designed to report.
1256– Security: contains the events of the security processes. Some of the security events that can be logged include
1257changes in user privileges, logins and logouts, file and directory access and printer activity
1258– The Applications and Services Logs store events from a single application or component rather than events that might
1259have system wide impact.
1260– Setup.EVTX – logs events that are related to application setup
1261– ForwardedEvents.EVTX – stores events collected from remote computers with a created event subscription
1262WINDOWS ARTIFACTS
1263Event Logs
1264134
1265• Event logs can be useful in a forensics examination to show that a user may or may not have performed a particular action at a
1266particular time
1267• They can be useful for a number of things from:
1268– Tracing logs in the case of logging into a restricted network, proving the computer was running during a particular time
1269– Proving the computer was running during a particular time
1270– Showing time change/time change synchronization events
1271– USB driver installation
1272– Wireless connections
1273To exam a Windows event log, copy the content of the folder C:\Windows\system32\winevt\logs to the forensic machine.
1274The events can be accessed through Windows built in Event Viewer by selecting Action > Open Saved Logs.
1275WINDOWS ARTIFACTS
1276Event Logs
1277135
1278• Most common Windows Event IDs
1279– 4626 An account successfully logged on
1280– 4625 Account failed to log in
1281– 4634 Account was logged off
1282– 4647 User initiated log off
1283– 4668 An application was initialized
1284– 4672 Special privileges assigned to new logon
1285WINDOWS ARTIFACTS
1286Event Logs
1287Lab 9
1288PRACTICAL EXERCISE:
1289WINDOWS EVENTS
1290137
1291Windows Artifacts:
1292• Wireless Network History
1293• Web browser artifacts
1294• Internet Explorer
1295• Mozilla Firefox
1296• Google Chrome
1297138
1298• When a Windows operating system is connected to a wireless (WIFI) network,
1299a record is kept in C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces
1300• There will be a series of sub-folders for each interface – the folder name is
1301GUID and contains files named %GUID%.xml
1302• The XML file will include the Service Set Identifier (SSID) of the network it is
1303connected to.
1304• The file extension *.xml is used by Extensible Markup Language (XML), a
1305programming language that is readable by both humans and computers.
1306• Testing has shown that a file relating to a previously connected Wireless
1307network may be deleted
1308WINDOWS ARTIFACTS
1309Wireless Network History
1310139
1311• Represents a relatively unknown compatibility feature of NTFS and the ability to fork file data into existing files
1312without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows
1313Explorer.
1314• The main reason they are so dangerous is that they are not well known, are generally hidden to the user, and that
1315there are few security programs that can recognize them.
1316• From a command prompt, the following is an example on how to make an ADS:
1317C:\Users\%User%\Desktop>notepad test.txt
1318C:\Users\%User%\Desktop>notepad test.txt:ads.txt
1319WINDOWS ARTIFACTS
1320Alternate Data Streams (ADS)
1321140
1322WEB BROWSERS
1323• Common features in all browsers:
1324Chrome
132557%
1326Firefox
132714%
1328IE
132912%
1330Safari
133110%
1332Edge
13332%
1334Other
13355%
1336Jan-Sep 2016
1337Chrome Firefox IE Safari Edge Other
1338 “Main” History folder – contains overall Web
1339browser activity like dates, times, sites
1340visited and any searches conducted over the
1341Web
1342 Cookie history folder – dates and sites visited,
1343login names
1344 Cache – also known as Temporary Internet
1345History, provides a snapshot of the sites
1346visited (at the time of the last visit). 67,72
134710,96
13485,82
13493,37
13503,2
13518,91
1352July - Sept 2018
1353Chrome (all)
1354Firefox 5+
1355IE 11.0
1356Edge 17
1357Safari 11.1
1358Other
1359141
1360INTERNET EXPLORER – HISTORY LOCATION
1361• Default History is set to record for 20 days
1362• Integrated into Windows, it keeps records also for local
1363files accessed (including those on USB/network drives)
1364• Format and storage location of history files varies
1365depending on the version of the OS and IE used:
1366• Main History file location for Internet Explorer 9 or earlier:
1367 Windows XP:
1368C:\Documents and Settings\User\Local Settings\History\History.IE5
1369 Windows Vista/7:
1370C:\Users\User\AppData\Local\Microsoft\Windows\History\History.IE5
1371C:\Users\User\AppData\Local\Microsoft\Windows\History\Low\History.IE5
1372• Main History file location for Internet Explorer 10 or later
1373C:\Users\User\AppData\Local\Microsoft\Windows\WebCache directory
1374142
1375INTERNET EXPLORER – “WEBCACHEV01.DAT” HISTORY FILE
1376• Can be viewed with ESEDatabaseView
1377from the Nirsoft Suite
1378• The dropdown menu allows you to switch
1379between containers, each with different
1380content
1381• The timestamps need to be converted from
1382Decimal to Hexadecimal
1383• The hex value then needs to be decoded using a
1384tool such as DCode
1385143
1386INTERNET EXPLORER – CACHE FILES
1387• Files downloaded by the web browser
1388to display websites
1389• Cached files include html files, CSS
1390style sheets, JavaScript scripts, graphic
1391images etc
1392• Cache files location:
1393 Windows XP:
1394C:\Documents and Settings\User\Local Settings\Content.IE5
1395 Windows Vista/7/8:
1396C:\Users\<User>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
1397C:\Users\<User>\AppData\LocalLow\Microsoft\Windows\AppCache
1398C:\Users\<User>\AppData\Local\Microsoft\Windows\INetCacheIE
1399144
1400INTERNET EXPLORER – COOKIE FILES
1401• Small piece of data sent from a
1402website and stored in the user's web
1403browser while the user is browsing.
1404• Can be used to track data like
1405user preferences, items in a
1406shopping cart, webpages
1407previously visited.
1408• Data contained: URL of the visited
1409website, date and time stamp,
1410cookie expiration date.
1411• Location of the Cookie Files:
1412 Windows XP:
1413C:\Documents and Settings\User\Cookies
1414 Windows Vista/7/8:
1415C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Cookies
1416C:\Users\<User>\AppData\Local\Microsoft\Windows\Cookies\Low
1417145
1418MOZILLA FIREFOX
1419• Allows the creation of multiple user profiles on a
1420single Windows logon account
1421• Each profile has its own folder, bookmarks, stored
1422passwords and history
1423• Profile configuration is found in “profiles.ini”
1424• Cache files location:
1425 Windows Vista/7/8:
1426\AppData\Local\Mozilla\Firefox\Profiles\<name>.default\Cac
1427he
1428 Windows 10:
1429\AppData\Local\Mozilla\Firefox\Profiles\<profile>\cache2
1430• Cookie files location:
1431 \AppData\Roaming\Mozilla\Firefox\Profiles\<profile>\cookie
1432s.sqlite
1433146
1434GOOGLE CHROME
1435• Uses multiple files for storing relevant data
1436• Most of the files are SQLite databases
1437• Viewable with: DB Browser for SQLite / NirSoft tools
1438• History File – also contains data about downloaded files and typed URLs:
1439C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\History
1440• Bookmarks File location:
1441C:\Users\<user>\AppData\Local\Google\Chrome\User
1442Data\Default\Bookmarks
1443• Cookie File location:
1444C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Cookies
1445• Cache Files location:
1446C:\Users\<user>\AppData\Local\Google\Chrome\User
1447Data\Default\Application\ Cache
1448Lab 9
1449PRACTICAL EXERCISE:
1450WIRELESS NETWORK HISTORY
1451WEB BROWSER ARTIFACTS
1452148
1453Windows Artifacts:
1454• RAM Files
1455149
1456CPU
1457Virtual
1458Memory
1459Cache RAM Disk
1460Everything in the OS traverses RAM
1461Running processes and the system
1462objects/resources with which they
1463interact.
1464Portions of nonvolatile sources of
1465evidence such as the registry, event log,
1466and Master File Table.
1467Active network connections Malware
1468Remnants of previously executed console
1469commands.
1470Open Files
1471Loaded drivers Encryption keys and clear-text data that
1472is otherwise encrypted on disk.
1473User credentials (hashed, obfuscated,
1474clear text)
1475Important data structures within the
1476kernel that provide insight into process
1477accounting, behavior, and execution.
1478MEMORY FORENSICS - WHY?
1479150
1480• Best place to identify malicious software activity
1481 Study running system
1482 Identify inconsistencies in system
1483 Bypass packers, binary ofuscations, rootkits.
1484• Analyze recent activity on the system
1485 Identify all recent activity in context
1486 Profile user or attacker activities
1487• Collect evidence that cannot be found anywhere else
1488 Memory-only malware
1489 Chat threads
1490 Internet activities
1491MEMORY FORENSICS ADVANTAGES
1492151
1493• Study of data captured from memory of a target system
1494• Ideal analysis includes physical memory data (from RAM) as well as Page File (or SWAP
1495space) data
1496Acquire
1497• Capture Raw Memory
1498• Hibernation File
1499Context
1500• Establish Context
1501• Find Key Memory Offsets
1502Analyze
1503• Analyze Data For Significant Elements
1504• Recover Evidence
1505WHAT IS MEMORY FORENSICS?
1506152
15071. Identify Context
1508• the Kernel Processor Control Region (KPCR)or Kernel Debugger Data Block
1509(KDBG)
15102. Parse Memory Structures
1511• Executive Process(EPROCESS)blocks
1512• ProcessEnvironment (PEB) blocks
1513• DLLs loaded
1514• Virtual Address Descriptors (VAD) Tree
1515• List of memory sections belonging to the process
1516• Kernel modules I drivers
15173. Scan of Outliers
15184. Analysis: search for anomalies
1519• Unlinked processes, DLLs, sockets and threads
1520• Unmapped memory pages with execute privileges
1521• Hook detection
1522• Known heuristics and Signatures
1523WINDOWS MEMORY ANALYSIS
1524153
1525• Random Access Memory (RAM) is volatile (data not retained when power is removed), high speed memory
1526that is used by a computer system to store data that is currently in use.
1527• RAM is allocated in blocks, called pages, which are typically 4096 bytes.
1528• The operating system manages the RAM and allocates the RAM pages to itself, to running programs, and to
1529files that are currently in use.
1530• Windows uses special files on the hard disk for managing RAM, called virtual memory. This virtual memory
1531is used to enhance performance, by making the RAM appear larger or by speeding up the shut-down/startup
1532process
1533• For obtaining the RAM of a Virtual Machine, a file with the “vmem” extension resides on the VM folder.
1534WINDOWS ARTIFACTS
1535RAM Files
1536154
1537• Windows uses a pagefile file(s) to hold parts of programs and data that
1538do not fit in memory
1539• The operating system moves data from the pagefile to memory as needed
1540and moves data out of memory to the pagefile to make room for new
1541data. On Windows 7 – 10 systems it is named pagefile.sys
1542• By default pagefile.sys is created in the root folder of the drive that holds
1543the Windows system files.
1544• Although the content is not formatted for easy reading, passwords,
1545graphics, text files, file names, URLs and other valuable information is
1546often found within this file.
1547WINDOWS ARTIFACTS
1548RAM Files: Pagefile
1549155
1550• In Windows 8 – 10, Microsoft utilizes two swap files, Pagefile.sys
1551and Swapfile.sys to handle the operating system demand on the
1552RAM.
1553• According to Microsoft, the Pagefile is utilized for RAM, and the
1554Swapfile is utilized for swap-out applications.
1555• The pagefile is potentially a good location to find data that the user
1556does not know is still on the disk.
1557• When the system is shutdown, the paging file remains intact.
1558However the Registry key below can be set to 1, in which case
1559Windows will fill inactive pages in the paging file with zeros
1560whenever you shut down the system:
1561HKLM\System\CurrentControClearPageFileAtShutdownlSet\Control\Sessi
1562on Manager\Memory Management\
1563WINDOWS ARTIFACTS
1564RAM Files: Pagefile
1565156
1566• Hibernation is a power mode that allows the computer to shutdown,
1567but retain its current state.
1568• All open programs are retained by saving the content of the Random
1569Access Memory to the hard disk drive, in C:\Hiberfil.sys.
1570• When the computer is powered back on, all files and open programs
1571are resumed automatically in the same state as when the computer
1572was shut down.
1573• Just like RAM and swapfiles, Hiberfil.sys will often contain files or
1574parts of files that the user has been working on, even if the user
1575didn’t save those files to the internal hard drive.
1576WINDOWS ARTIFACTS
1577RAM Files: Hiberfil.sys
1578157
1579• Analyzing RAM Files
1580– A RAM file can be analyzed the same as a RAM dump. They both contain live data which can include unencrypted passwords and
1581running program data. The later is very important when investigating a computer that may be infected by a virus or other exploit.
1582– RAM analysis requires specialized tools to be done with effectually
1583Some RAM analysis tools:
1584- strings.exe: command line utility for extracting Unicode and/or ASCII strings, which may include plaintext passwords
1585- Bulk extractor: simple GUI program. Like strings, it will get ASCII and Unicode strings, but also refine the results into credit cards,
1586e-mail, MAC addresses, Uniform Resource Locators (URL) and telephone numbers
1587- SIFT Workstation: an advanced and completely virtual based forensic investigation tool, with powerful utilities for RAM analysis.
1588It must be run in VmWare and is predominantly command line based (for RAM)
1589WINDOWS ARTIFACTS
1590RAM Files
1591158
1592BULK EXTRACTOR
1593Lab 10
1594PRACTICAL EXERCISE:
1595BULK EXTRACTOR
1596160
1597• DLL injection is very common with modern malware
1598 VirtualAllocEx( ) and CreateRemoteThread( )
1599 SetwindowsHookEx()
1600• Process hollowing is another injection technique
1601 Malware starts a new instance of legitimate process
1602 Original process code de-allocated and replaced
1603 Retains DLLs, handles, data, etc. from original process
1604• Code injection is relatively easy to detect
1605 Review memory sections marked as Page_Execute_ReadWrite and
1606having no memory-mapped file present
1607 Scan for DLLs (PEfiles) and shellcode
1608• Process image not backed with file on disk = process hollowing
1609DETECTING INJECTION
1610161
1611Scheduled tasks
1612Service Replacement
1613Service Creation
1614Auto-Start Registry Keys
1615DLL Search Order Hijacking
1616Trojaned Legitimated System Libraries
1617More Advanced – Local Group Policy, Ms Office Add-In, or BIOS Flashing
1618MALWARE PERSISTENCE MECHANISMS
1619162
1620• You can find:
1621 IP Addresses/Domain Names
1622 Malware file names
1623 Usernames
1624 Email addresses
1625• Step 1: Create ASCII and Unicode strings files
1626srch_strings –t d –a memory.img > memory.asc
1627srch_strings –t d –a –e l memory.img > memory.uni
1628• Step 2: Search for indicators
1629grep -i string memory.asc
1630RAPID MEMORY SEARCH
1631Memory analysis with
1632Redline
1633Memory analysis with Redline
1634Memory analysis with volatility
1635Memory Analysis – b. concepts
1636164 Mandiant Redline - overview
1637• GUI tool for memory analysis
1638 Processes
1639 Handles
1640 Network Connections
1641 Memory Sections
1642 Hooks and drives
1643• Buil-in heuristics for suspicious processes and code
1644• Live memory analysis and live response capability
1645• IoC matching
1646• File whitelisting
1647165 Mandiant Redline – getting started
1648Load Saved
1649Redline Session
1650Load memory
1651image
1652Create Live Response
1653Portable Agent
1654166 Mandiant Redline – Building a portable agent
1655Lab 11
1656PRACTICAL EXERCISE:
1657MANDIANT REDLINE
1658168 Volatility framework overview
1659• Volatility is one of the best framework analysing memory images
1660• It is a command line based and is written completely in Python
1661• Has a lot of plugins: malfind, apihooks, orphanthreads, etc.
1662• Supports:
1663169 Volatility Plugins (examples)
1664Volatility plugins
1665apihooks Find API hooks procexedump Dump a process to an executable
1666file sample
1667connections Print list of open connections procmemdump Dump a process to an executable
1668memory sample
1669dlllist Print list of loaded dlls for each
1670process
1671pslist print all running processes by
1672following the EPROCESS lists
1673dlldump Dump a DLL from a process
1674address space
1675orphanthread Locate hidden threads
1676files Print list of open files for each
1677process
1678mutantscan Scan for mutant objects
1679KMUTANT
1680getsids Print the SIDs owning each
1681process
1682pstree Print process list as a tree
1683malfind Find hidden and injected code sockets Print list of open sockets
1684Complete list: https://code.google.com/p/volatility/wiki/Plugins
1685170 How to use volatility (Help!)
1686• The -h flag gives configuration information in Volatility
1687- Used alone it identifies the version, currently loaded plugins, and common parameters
1688• Use -h with a plugin to get details and plugin-specific usage
1689171 How to use volatility (2)
1690• vol.py –f [image] [plugin] --profile=[PROFILE]
1691• you can set an environment variable to replace –f [image]
1692export VOLATILITY_LOCATION=file://<file path>
1693vol.py pslist --profile=[PROFILE]
1694172 Image identification
1695• Imageinfo
1696 Recover metadata from a memory image
1697 vol.py –f memory.img imageinfo
1698173 Hibernation File Conversion
1699imagecopy
1700• Convert crash dumps and hibernation files to raw memory
1701images
1702Purpose
1703• Output file name (-O)
1704• Make sure to provide correct image OS via (--profile=).
1705Important Parameters
1706• Uncompress Windows hibernation files
1707• Convert crashdump files to raw images
1708• Live firewire session data can also be converted
1709Investigative Notes
1710174 Identify rogue processes
1711pslist
1712• Print all running processes by following the EPROCESS linked list
1713Purpose
1714• Show information for specific process IDs (-p)
1715Important Parameters
1716• Provides the binary name (Name), parent process (PPID), and time
1717started (Time)
1718• Thread (Thds) and Handle (Hnds) counts can be reviewed for
1719anomalies
1720• Rootkits can unlink malicious processes from the linked list,
1721rendering them invisible to this tool
1722Investigative Notes
1723175 Identify suspect processes
1724psscan
1725Scan physical memory for EPROCESS pool allocations
1726Hidden processes may be identified
1727Identify processes no longer running pslist did not found the dllhost.exe process
1728psscan found the dllhost.exe process most
1729likely because it was terminated but
1730lingering in unallocated memory space.
1731176 Analyzing Process Objects
1732dlllist
1733• Display the loaded DLLs and the command line used to start each process
1734• Show information for specific process IDs
1735• The command line displayed for the process provides full path information of where the executables was
1736located and what parameters were used to load it
1737• The base offset provided can be used to extract a specific DLL with dlldump.
1738During our memory analysis with Redline
1739we identified a suspicious process named
1740winppr32.exe. Now, we can obtain more
1741information about that process.
1742177 Analyzing Process Objects
1743getsids
1744• Display security identifiers (SIDs) for each process
1745• Can be useful to determine how a process was spawned and with what permissions.
1746The suspicious process has 2 user
1747SIDs associated with it and this tell us
1748that the process was likely spawned
1749from a user context and hence is
1750unlikely to be a true system process.
1751178 Analyzing Process Objects
1752malfind
1753• Scans process memory sections looking for indications of code injection and extract them for further analysis.
1754• You may see multiple injected sections within the same process
1755• Dumped sections can be reverse engineered or sent to A/V
1756Six injected sections in this image memory
1757179 Rootkit Detection
1758psxview
1759• Performs a cross-view analysis using six different process listing plugins to visually identify hidden processes.
1760• It is important to know the output differences between each source:
1761• An entry not found by pslist is often a hidden process
1762• Processes terminated may only show in psscan column
1763Lab 12
1764PRACTICAL EXERCISE:
1765VOLATILITY
1766181
1767Part 4
1768L e c t o r d r. i n g . A l i n P U N C I O I U
1769Criminalitatea informatică, colectarea și investigarea probelor
1770182
1771E-mail artifacts
1772Protocols and format
1773Microsoft Outlook
1774Webmail Analysis
1775183
1776 A method of exchanging digital messages from an author to one or
1777more recipients.
1778 E-mail is defined by the following standards:
1779 RFC 5321 - Envelope - computer-to-computer transmission protocol for e-mail
1780 RFC 5322 - Header and Body - covers the format of e-mail messages
1781Envelope + MMesessasgaeg eH eBaoddeyrs = E-mail
1782P1 header P2 header
1783184
1784 The P1 header is used to route a message, and it is not displayed as part of the message. It
1785contains values in the MAIL FROM and RCPT TO commands of the SMTP connection:
1786 MAIL FROM: bob@domain1.com
1787 RCPT TO: john@domain2.com
1788 The P2 header is what you see when you open a message in your e-mail client.
1789 FROM: bob@domain1.com
1790 TO: john@domain2.com
1791Envelope + MMesessasgaeg eH eBaoddeyrs = E-mail
1792P1 header P2 header
1793185
1794MX record
1795A mail exchanger record (MX record) is a type of resource record in the Domain Name
1796System (DNS) that specifies the mail server responsible for accepting email messages
1797on behalf of a recipient's domain.
1798186
1799Type
1800Spear Phishing Spear phishing is a form of phishing that is targeting a specific user or group.
1801Whaling
1802Whaling is a variant of phishing that targets senior or high-level executives such as CEOs and presidents
1803within a company.
1804Vishing Vishing is a variant of phishing that uses the phone system or VoIP. (if reported to the mailbox)
1805Pharming
1806The victim gets redirected to a seemingly legitimate, yet fake, website. In this type of attack, the attacker
1807carries out a DNS poisoning attack, in which a DNS server resolves a hostname into an incorrect IP address.
1808Regular None of the above.
1809187
1810MALICIOUS CHARACTERS OF PHISHING E-MAILS
1811Malicious character
1812Credential
1813Harvester
1814Harvest victims personal information using crafted web pages that fake legitimate sites.
1815Nigerian scam Strangers sharing large amounts of money.
1816CEO fraud Impersonating executives to trick employees.
1817Virus
1818Small application, or string of code, that infects software. (all the variants: macro virus, stealth virus,
1819polymorphic virus, boot sector virus, multipart virus, meme virus, script virus, etc.)
1820Worm Self-contained program, that can reproduce on their own without a host application.
1821Botnet Piece of code that carries out functionality for its master.
1822Spyware Malware that is covertly installed on a target computer to gather sensitive information.
1823Trojan Program disguised as another program.
1824Logic bomb Executes a program, or string of code, when a certain set of conditions is met.
1825Scam
1826Strangers asking for a certain amount of money (i.e. in order to delete photos, videos or other sensitive info
1827which they seem to have from the victim).
1828Ransomware
1829A type of malware that prevents users from accessing their system, either by locking the system's screen or by
1830encrypting the victim's files unless a ransom is paid.
1831Rootkit Collection of tools installed on a compromised asset once the administrator/root access is obtained
1832Adware Software that automatically generates (renders) advertisements.
1833188
1834EMAIL PROTOCOLS
1835• SMTP – Simple Mail Transfer Protocol
1836- Transfers the email from the user’s email server to the ISP’s email server, then across the network (LAN, WAN,
1837Internet) to the receiver’s email server
1838- Sends only text data (non-ASCII characters or binary data are represented through base64-encoded sections
1839• POP – Post Office Protocol
1840- The receiver’s email client downloads the new messages and removes them from the email server
1841• IMAP – Internet Message Access Protocol
1842- Allows a client to access and manipulate emails on a server
1843Sender
1844Client
1845Senders
1846ISP
1847Relay Relay
1848Receivers ISP
1849Mailbox
1850Receiver
1851Client
1852SMTP
1853SMTP
1854SMTP
1855SMTP POP /
1856IMAP
1857189
1858 Gather supporting evidence and track suspect
1859 Return path
1860 Recipient’s e-mail address
1861 Type of sending e-mail service
1862 IP address of sending server
1863 Name of the e-mail server
1864 Unique message number
1865 Date and time e-mail was sent
1866 Attachment files information
1867190
1868VIEWING E-MAIL HEADERS
1869191
1870E-MAIL HEADER
1871X-Apparently-To: example@yahoo.com; Sun, 30 Oct 2016 09:54:06 +0000
1872Return-Path: <visite.fax@bundestag.de>
1873Received-SPF: none (domain of bundestag.de does not designate permitted sender hosts)
1874X-Originating-IP: [193.17.243.102]
1875Authentication-Results: mta1100.mail.ne1.yahoo.com from=bundestag.de;
1876domainkeys=neutral (no sig); from=bundestag.de; dkim=neutral (no sig)
1877Received: from 127.0.0.1 (EHLO mail3.dbtg.de) (193.17.243.102)
1878by mta1100.mail.ne1.yahoo.com with SMTPS; Sun, 30 Oct 2016 09:54:06 +0000
1879Received: from mailng06.bundestag.de (b.mx.intern.out [172.16.47.2])
1880by mail3.dbtg.de (Postfix) with ESMTP id 5322C70000A4
1881for <example@yahoo.com>; Sun, 30 Oct 2016 10:54:03 +0100 (CET)
1882Received: from localhost (localhost [127.0.0.1])
1883by mailng06.bundestag.de (Postfix) with ESMTP id 5303A1B4C
1884for <example@yahoo.com>; Sun, 30 Oct 2016 10:54:03 +0100 (CET)
1885X-Virus-Scanned: Debian amavisd-new at bundestag.de
1886Received: from mailng06.bundestag.de ([127.0.0.1])
1887by localhost (mailng06.admin.btg [127.0.0.1]) (amavisd-new, port 10024)
1888with ESMTP id vT0X3zc24m9l for <example@yahoo.com>;
1889Sun, 30 Oct 2016 10:54:03 +0100 (CET)
1890Received: from visiteap10.bundestag.btg (visiteap10.bundestag.btg [172.26.249.157])
1891by mailng06.bundestag.de (Postfix) with ESMTP id 2F4221B49
1892for <example@yahoo.com>; Sun, 30 Oct 2016 10:54:03 +0100 (CET)
1893Date: Sun, 30 Oct 2016 10:54:03 +0100 (CET)
1894From: Besucherdienst <visite.fax@bundestag.de>
1895Reply-To: Besucherdienst <besucherdienst@bundestag.de>
1896To: example@yahoo.com
1897Message-ID: <1303136307.157.1477821243194.JavaMail.root@visiteap10>
1898Subject: Your booking confirmation (SYS#SYS-20161030-104606)
1899• Email headers need to be read from the
1900bottom up
1901• Resources for automated analysis:
1902• Message Header Analyzer (Microsoft)
1903• Email Header Analyzer (MXToolbox)
1904192
1905E-MAIL HEADER
1906Message-ID - a field that provides a unique message identifier that refers to a
1907particular version of a particular message
1908Hops – the e-mail’s journey from point A to point B
1909X-Headers – such as the X-Originating-IP (the public IP of the computer that sent the
1910e-mail)
1911Forefront Antispam Report Header – SCL, IPV, CTRY, SFV, etc. (specific to Exchange
1912Online)
1913Reply-To vs Return-Path
1914Authentication results – SPF, DKIM, DMARC and ARC
1915193
1916E-MAIL HEADER
1917Message-ID - a field that provides a unique message identifier that refers to a particular
1918version of a particular message
1919194
1920E-MAIL HEADER
1921Hops – the e-mail’s journey from point A to point B
1922Authentication results – SPF, DKIM, DMARC and ARC
1923195
1924E-MAIL HEADER
1925196
1926• SMTP is ASCII based and can’t handle binary data (nor large attachments, non-Western languages etc.)
1927• Encoding was needed, so Base64 was selected because it handles binary data (although not human-readable)
1928• As a result, MIME (Multipart Internet Mail Extension) standard was adopted for use in SMTP.
1929MIME AND BASE64 ENCODING
1930------=_Part_156_1711450280.1477821243191
1931Content-Type: application/pdf;
1932name=SYS-20161030-104606-Buchungsbestaetigung.pdf
1933Content-Transfer-Encoding: base64
1934Content-Disposition: attachment;
1935filename=SYS-20161030-104606-Buchungsbestaetigung.pdf
1936JVBERi0xLjQKJaqrrK0KNCAwIG9iago8PAovQ3JlYXRvciAoQXBhY2hlIEZPUCBWZXJzaW9uIDEu
1937MSkKL1Byb2R1Y2VyIChBcGFjaGUgRk9QIFZlcnNpb24gMS4xKQovQ3JlYXRpb25EYXRlIChEOjIw
1938MTYxMDMwMTA1NDAzKzAxJzAwJykKPj4KZW5kb2JqCjUgMCBvYmoKPDwKICAvTiAzCiAgL0xlb
1939aCAxMCAwIFIKICAvRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeJydlndYU+cex99zTvZg
1940CjM0MjA4CiUlRU9GCg==
1941------=_Part_156_1711450280.1477821243191
1942Encoding
1943MIME header
1944start
1945or INLINE
1946PDF attachment (base64-encoded)
1947Attachment
1948name
1949197
1950E-MAIL HEADER - SPF, DKIM AND DMARC
1951They are all standards that enable different aspects of e-mail authentication. They
1952address complementary issues.
1953 SPF allows senders to define which IP addresses are allowed to send mail on
1954behalf of their domain.
1955 DKIM provides an encryption key and digital signature that verifies if an e-mail
1956message was faked or altered.
1957 DMARC unifies the SPF and DKIM authentication mechanisms into a common
1958framework: it allows domain owners to declare how they would like an e-mail be
1959handled if it fails an authorization test.
1960198 MICROSOFT OUTLOOK
1961• Stores messages, contacts, appointments, task, notes in Messaging Application Programming
1962Interface (MAPI) folders
1963• These folders can be stored in:
1964• Location: <drive>:\Users\<user>\AppData\Local\Microsoft\Outlook
1965• Items can also be archived in a file name archive.pst found in the same location
1966• PST files can be recovered from unallocated space. Their file header is “0x2142444E”
1967 A personal folders file (.pst)
1968 A mailbox located on the server if used with Microsoft Exchange Server
1969(.mdb)
1970 An offline folders file (.ost) on the hard drive
1971199
1972MICROSOFT OUTLOOK – OST VIEWER
1973200
1974WEBMAIL
1975 E-mail is accessed through a Web page
1976interface, from a Web Browser
1977 Common webmail providers: Yahoo, Gmail,
1978Outlook, AOL, Yandex
1979 Any viewed pages used to be cached in the
1980Temporary Internet Files (IE browser)
1981 Now the webpages are constructed on-the-fly
1982using JSON files -> less artifacts
1983 Useful data can still be recovered from
1984pagefile.sys and hiberfil.sys, because the JSON
1985and dynamically created HTML pages must
1986reside in memory when viewed
1987 Few artifacts available: account name, sender,
1988subject
1989http://www.emailmonday.com/mobile-email-usage-statistics
1990Lab 13
1991PRACTICAL EXERCISE:
1992EMAIL MESSAGES