cns 320 week10 final review

7/23/2019 CNS 320 Week10 Final Review

1/94

1

CNS 320 COMPUTER FORENSICS &INCIDENT RESPONSE

Week 10 Final Review

Copyright 2012, John McCash. This work may be copied, modified, displayed anddistributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nc/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/


2/94

Final Review

Remember, the final exam is worth 40%of your grade.


3/94

Imaging An image is a bit-for-bit copy of a piece of digital

evidence (disk, flash, RAM, DVD etc.) Forensic images can be stored and accessed in a variety

of standard formats such as Raw, E01, or AFF Images are typically validated as unchanged by use of

one or more of a number ofcryptographic hashalgorithms (md5, sha1, sha256) Of these three commonly hashing algorithms, only

sha256 has no known collision attacks against it On dead systems, disk imaging should be performed via

a hardware write-blocker to ensure that original

evidence is unchanged On live systems, it is almost certain that the image

hash for a disk in use or system memory will notmatch

Exact methodologies will vary from organization toorganization


4/94

Physical vs. Logical Imaging

Physical Image Full image of completephysical disk device content

Logical Image Image of a logical

volume, as mounted on a live system. Portion of a physical device

RAID spread across several different physicaldevices

Mounted encrypted volume

Mounted network volume


5/94

MBR Partitioning Most Windows partitions are MBR

Master Boot Record lives in first 512-byte sector ondisk & contains: Boot record 4 Primary Partition Table Entries (not all need be valid) Signature Value (0xAA55)

Partition Table Entry Contains: Starting CHS address Ending CHS address Starting LBA address Number of sectors in partition Type of partition Flags

Primary Partition may be an Extended Partition, whichreferences a linked list of Secondary Extended PartitionTables

First partition usually starts 63 sectors after partitiontable due to legacy cylinder boundary requirement


6/94

File Systems

A filesystem is a method of mapping filedata and metadata onto a storage volumein such a way that it can be stored andretrieved efficiently

Filesystem Data Categories:

File System Data pertaining to the filesystem as awhole

Content Data contained within the bodies of files

Metadata Data about files File Name Human interface reference for a file

identifier

Application Data implementing special filesystem

features such as journaling or quotas


7/94

Data Storage: Big-Endian vs. Little-Endian

Big-Endian: Most significant byte storedfirst (lowest address) Used bymainframes & UNIX systems

Little-Endian: Least significant bytestored first Used by PCs

Value: 258

Hex: 0102 (2*16^0+0*16^1++1*16^2) Big-Endian: 01 02

Little-Endian: 02 01

Mnemonic: LLL Little Least Left


8/94

Slack Space

RAM Slack Space in the last sector of a fileafter the end of the file. Back in old versions ofWin95 and previous, this got randomlypopulated with data from memory. Since then it

is nulled out when a file is written. File Slack any remaining sectors in the last

cluster of a file following the RAM Slack. Theseare not overwritten when the file is written, andwill still contain any previous content. (Usage of

this term sometimes includes RAM Slack.) Collectively, File Slack is the space between the

logical and physical end of file

Physical EOF is end of allocated clusters

Logical EOF is end of file data


9/94

NTFS

Everything in NTFS is a File, including theMFT

MFT Structure (every file has an MFT entry) File Attributes, particularly:

Standard Information Attribute (containsprimary file timestamps) Filename Attribute (there may be two of these,

and each contains redundant timestamps) Data Attribute (for resident files [< a few hundred

bytes], data is contained within the MFT entry itself)

Data attributes after the first are referred to asAlternate Data Streams

Index_Allocation Attributes (for directories) B-Tree Contains complete File_Name Attributes,

including redundant timestamps

Attribute Structure

Note the various redundant timestamps


10/94

NTFS MFT

10

NTFS Data Structure - Master File Table(MFT)

Heart of NTFS. Has an entry for every file

and directory, including itself. MFT entries are 1024 bytes in length, &

start with FILE (typically) or BAAD.

A single file can require multiple MTF entries

to store all its attributes. But this is rare

Its sometimes possible to find completeMFT entries in unallocated space thatreference file data also in unallocated


11/94

NTFS File Attributes of Particular Note

Standard Information Attribute (contains primaryfile timestamps)

Filename Attribute (there may be two of these,and each contains redundant timestamps)

Data Attribute (for resident files, data is containedin the MFT entry itself) Data attributes after the first are referred to as Alternate

Data Streams (ADS)

ADS can be used by attackers or malware to hide data

Index_Root_Attribute (directories - resident)

Index_Allocation Attribute (directories -nonresident) B-Tree Contains complete File_Name Attributes, including

redundant timestamps Entries also contain a reference to MFT record number


12/94

NTFS MFT Entry Timestamps

NTFS MFT entries have two (sometimes three)attributes that contain timestamps: $STANDARD_INFORMATION

The only one normally seen

$FILE_NAME (SHORT & POSSIBLY LONG) Redundant and difficult to change

Four file system timestamps (MACB times) arecontained in each entry

2 Last [M]odified time

4 Last [A]ccessed time

3 MFT entry modified ([C]hanged) time

1 creation ([B]orn) time

12


13/94

NTFS directory entries also have

timestamps & file sizes

The INDX structure of an NTFS directorystores a complete copy of (both) thereferenced files filename attributes

This includes all timestamps and file sizes. When a file is deleted, this entry is unlinked

from the INDX structures btree, but is notwiped unless overwritten during ensuing btreerebalancing

If you find a filename in unallocated space, orin the INDX structure of a folder which nolonger contains a file of that name, it helps toknow what youre looking at


14/94

Recognizing NTFS Timestamps Individual NTFS timestamps are 8-byte little-endian

quantities showing the number of 100ns units since Jan1st , 1601.

If you see four plausible NTFS datestamps in a row,followed after 26 more bytes by a unicode filename,

youre probably looking at a filename attribute. If its surrounded by a bunch of other similar data for

other filenames, without much interspersed, its probablya directory. Look back a few hundred bytes and see iftheres an INDX header.

Alternatively, if there is a significant amount ofinterspersed data, and the only other filename attributeclose by is a long or short filename attribute for the samefile, you might be looking at an MFT entry. Look back afew hundred bytes and see if you see a FILE header.


15/94

Detecting timestamp manipulation

Compare standard information attributetimestamps with filename timestamps

Compare with other timestamps for the

same file recovered from directory entries orunallocated space

Utilities which set timestamps typically willset to either a particular time rounded to the

nearest second, or will copy standard infoattribute times for some other file

Look for times exact to the second

Look for times exactly matching other files

Look for log references to the suspicious file15


16/94

Forensic Soundness

A forensically sound process is one thatensures data remains complete andmaterially unaltered (if portions are lost

or altered, that fact must be readilyapparent) while it is acquired, retained,and transported, so that it is admissiblein a legal proceeding.

On the final, I could describe a processand ask whether its forensically sound

16


17/94

Volatile Data Elements

Network Connections

Open Ports & Sockets

Running Processes (may be hidden) Terminated Processes

Loaded DLLs

Open Files Kernel Modules

User Logged On

Data from Memory


18/94

Fuzzy Hashing

Method of measuring similaritybetween different files Ssdeep is the most commonly used

fuzzy hashing utility. Most effective on files containing large

amounts of text, less so with purelybinary data, but YMMV.

Fuzzy hashing is also referred toas context triggered piecewisehashing (CTPH)


19/94

Unallocated Space: typical usage of the

term

Can be within any record structure forexample:

Disk

Volume Filesystem

Database File

Registry Hive

Directory

Physical Memory (Heap)

Any location which does not currently

hold referenced data


20/94

WinNT/2K/XP/2K3 Recycle Bin

Subfolder under RECYCLER named withusers SID

When a file goes into the trash, its moved to aunique name under this folder such asD__

Also under this subfolder will be a hidden binaryfile named INFO2 containing records which

document current name, original full path, &deletion time for each file in the recycle bin

When the recycle bin is emptied, all these filesare deleted


21/94

WinVista/7 Recycle Bin

User SID folder created under$Recycle.bin

Each deleted file now gets moved to

$R###### under the new SID folder $I###### with the same number in that

folder contains the original path anddeletion time for that file (equivalent to

INFO2, but for individual files)


22/94

The Windows Registry

Essentially a specialized Filesystemused for configuration data

Stored in multiple files (hives)

System Hives (%Windir%\System32\Config) SAM (Security Account Manager)

Security

System

Software Default

User Hives

Ntuser.dat

UsrClass.dat (added with Win7 or IE8)


23/94

Hive files are locked while the OS runs

You can extract them from livesystems with forensic tools such asFTK Imager

Some, such as SAM and Security,may require privileged access toacquire from a live system

As usual, however, physical accesstrumps all. Theyre easily retrievedfrom an offline system


24/94

Registry Structure

If you find unallocated search hits withstrings such as regf, hbin, nk, lf,

lh, ri, li, & vk nearby, youre

likely looking at an old deleted registryfile.

nk entries are registry keys, andcontain Windows FILETIME last

updated timestamps vk entries are registry values. No

timestamps, but frequently occurshortly after their parent keys


25/94

MRUlist Most Recently Used

Registry key that appears many times indifferent places in the registry, mostly in thentuser.dat hive

Values under this key include a variablenumber of values containing last accessedvalues of some type, and a MRUlist valuewhich indicates the order in which these

values were accessed First entry in MRUList is most recent.

The last write time of the key is the date atwhich the most recent of these was accessed


26/94

UserAssist

HKU\*\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist

Application names ROT-13 encoded

Run count (starts at 6) Last run time (Windows FILETIME)

ROT-13 substitutes alphabetic characterswith the character 13 further along in thealphabet (circular). So doing it a 2nd timereturns the string to its original value.Numeric & punctuation data are

unaffected 26


27/94

SAM Registry Hive Contents

User Name Security Identifier (SID) User Login Information

Last Login Last Failed Login Login Count Password Policy

Group Information (List of groups and

members) Administrators Users Remote Desktop Users


28/94

CurrentControlSet

There may be several sets of keysunder System

ControlSet001

ControlSet002\

Etc.

Number of the most up-to-date one

will be shown inSYSTEM\Select\Current


29/94

Time Zone

SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Some Forensic Tools (EnCase) will show all

file times as the zone set on the workstationtheyre run on

This can be confusing, because many log fileswill be in either GMT or in local time for thesubject system

You can wind up with times from the samesystem in three different zones. This is apain.


30/94

Enable/Disable Last Access Time

SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate

0x1 = Access Timestamps Turned Off(default on Win7)

0x0 (or value doesnt exist, as on Win2K)= Access Timestamps Turned On


31/94

Process Path Verification


32/94

Windows Event Logs NT/2K/XP/2K3

.evt files %systemroot%\System32\config SecEvent.evt, Appevent.evt, Sysevent.evt, sometimes others File Header/Magic Number in bytes 4-8 LfLe Header in 2nd4 bytes of each record LfLe (same as file header) 2 timestamps per record (generated & recorded) UNIX Epoch

time format

Vista/7/2K8 .evtx files %systemroot%\System32\winevt\logs SecEvent.evtx, Appevent.evtx, Sysevent.evtx, many others Header in 1st 4 bytes: 0x2a, 0x2a, 0x00, 0x00 (two asterisks

followed by two null bytes) Logs can be sent to a remote log collector Binary XML format

File locations can be changed in the registry UNIX Epoch time = #seconds since 00:00 Jan 1st, 1970 GMT


33/94

Example Scenario: Domain user logs in to

workstation and maps network file share

Domain user (Kerberos authentication, Win2K3server environment) logs in to workstation andmaps a network file share to a file server

Events Logged: Workstation

528 successful logon

Domain Controller 672 authentication ticket granted 673 service ticket granted (workstation) 673 service ticket granted (domain controller)

540 - Successful Network Logon 538 User Logoff 673 service ticket granted (file server)

File Server 540 - Successful Network Logon 538 User Logoff


34/94

Office Default Metadata Values

Title Subject Author Keywords Comments Template Last author Revision number Application name Last print date

Creation date Last save time Total editing time Number of pages Number of words Number of characters

Security Category Format Manager Company Number of bytes Number of lines Number of paragraphs Number of slides Number of notes

Number of hidden Slides Number of multimedia

clips Hyperlink base Number of characters

(with spaces)


35/94

Manual Examination of New (XML)

Office Files (docx, xlsx, pptx)

Unzip the file (all the 2007+ Office filesare actually zip archives of a file tree)

Result will be a folder

Examine the file docProps\app.xml underthat extracted folder

Metadata values will be encoded in XML


36/94

PDF Metadata

Typical XMP PDF Metadata Tags Author Copyright CreationDate Creator (application name) Keywords Marked (boolean value) ModDate PDFVersion Producer (application name) Subject Title Trapped

The official XMP specification defines only Keywords,PDFVersion, Producer and Trapped. The other tags areincluded because they have been observed in PDF files


37/94

Metadata in JPG Images

Newer digital cameras & phones oftengeotag images with GPS coordinates

Can also potentially identify thespecific camera that took a picture

Lots of data about specific camerasettings at the time the picture wastaken

Can sometimes identify photo editingsoftware used to alter the image

Some images carry an internalthumbnail which can be extracted


38/94

Typical Metadata in a Portable

Executable File (exe/sys/dll)

Machine Type Time Stamp (compiled) PE Type Linker Version Code Size

Initialized Data Size Uninitialized Data Size Entry Point OS Version Image Version Subsystem Version

Subsystem (GUI/DOS/Native) File Version Number Product Version Number File Flags Mask

File Flags File OS Object File Type (app/dll) File Subtype Language Code

Character Set Company Name File Description File Version Internal Name Legal Copyright

Original Filename Product Name Product Version Product Date


39/94

Pre-Vista: Thumbs.db

Populated in any folder which has been at onetime set to show thumbnails of includedimages & documents

Hidden file, not viewed by most users and not

cleaned out when files are removed from thefolder

Uses OLE compound document format (similarto Office 2K3 and previous) to store:

thumbnail picture of original image or first page ofdocument

last modification time

original filename


40/94

Vista+: Thumbcache

Single, centrally stored file for each user Thumbcache_32.db (small) Thumbcache_96.db (medium) Thumbcache_256.db (large) Thumbcache_1024.db (extra large)

Thumbcache_idx.db Thumbcache_sr.db

Located in\AppData\Local\Microsoft\Windows\Explorer

All created when a folder is switched to thumbnailmode or views pictures in a slideshow

Even stores thumbnails for pictures/docs/media onremovable media, network shares, or encryptedcontainers

Numbered files store actual images, linking to files isdone by idx file.

Purpose of sr file not yet determined


41/94

Email Forensics

In Transit: Simple Mail TransportProtocol (SMTP)

Remember that all headers added by

systems before the earliest system youcontrol could possibly have been spoofed

At Rest (various storage formats)

PST/OST (Outlook)

DBX (Outlook Express)

EML/FOL (Windows Mail)

MSF/no ext (Thunderbird)

MBX/TOC (Eudora)


42/94

Useful SMTP Headers

Received One added by each SMTP server in the

forwarding chain

Message-ID Added by originating SMTP server Unique_identifier@originating_server

X-Originating-IP Optional, added by originating MTA Should match earliest Received header

X-Mailer Optional Added by creating email client


43/94

Attachments

SMTP only allows text

Enter Multimedia Internet MailExtensions (MIME)

Message Segmentation

Base64 encoded attachments in theirown segments


44/94

Spoliation

The destruction or significant alteration ofevidence, or the failure to preserve propertyfor anothers use as evidence in pending orreasonably foreseeable litigation

A party claiming Spoliation must demonstrate: The party having control of the evidence had

an obligation to preserve it at the time it wasdestroyed

The evidence was destroyed with a culpablestate of mind The destroyed evidence was relevant to the

partys claim or defense such that reasonabletrier of fact could find that it would support

that claim or defense


45/94

Six Phases of the Standard IR Model

1. Preparation (Important)

2. Identification

3. Containment4. Eradication

5. Recovery

6. Follow-Up and Lessons Learned(Even More Important)


46/94

Link/Shortcut Files (.LNK)

Whenever a file (local or remote) isopened using Explorer, a shortcutfile is created:

\Recent (XP) \AppData\Roaming\Microsoft\

Windows\Recent (Vista/7)

\AppData\Roaming\Microsoft\

Office\Recent (Vista/7) Note: In Win7, the link may get

created inside a jumplist file


47/94

Shortcut file contents

Begins with magic value 4C 00 00 00 (L NULL NULL NULL)

Four byte file length at offset 34h (easy to carve)

Timestamps from original file when shortcut last accessed

Size from original file when shortcut last accessed

Volume Info: Name, Type (HD, Removable, Remote, CD),Serial#

Network Share Name, if any

Long & short filename

Original File Path

FileLocation (ObjectID [contains MAC address]+ VolumeID) Two different ones if file has been moved between 2 NTFS

volumes

These files are really short, and so are typically resident intheir MFT entry.


48/94

Prefetch/Superfetch Files (.pf)

Used to increase performance bypreloading code pages for commonlyused applications

Referred to as superfetch in Vista/Win7 Found in %Windir%\Prefetch

-.pf

Prefetch not cleaned out when exe isremoved

Up to 128 of them can exist at a time


49/94

Data in .pf file

File Signature (beginning of file) XP \x11\x00\x00\x00\x53\x43\x43\x41 (.SCCA)

Vista/7 \x17\x00\x00\x00\x53\x43\x43\x41 (.SCCA)

Contains paths of all files & folders accessed by

the program in the first 10 seconds Create time indicates when executable was first

run

Mod date & internal FILETIME indicate last time

Run Count Volume path & serial # for all files referenced

Prefetch\Layout.ini contains path information

File Size: 4-byte quantity at offset 0x000c


50/94

Restore Points

Restore Points (XP) created by default every 24 hoursso user can restore his system to a previous state ifsomething goes wrong (boot to last known goodstate), kept 90 days by default

Contain copies of all system files & registry entries

changed since last restore point Found in C:\System Volume

Information\_restore{GUID}\RP###\

Change.log (binary) file maps generic restore pointfilenames back to their original paths

Rp.log last 8 bytes are Windows FILETIME for restorepoint creation date

Snapshot subfolder contains copies of changed registrykeys for all hives (only accessible by System on a livehost)


51/94

Volume Shadow copy Service (VSS)

Vista/7 version of Restore Points, but muchmore pervasive

Tracks all (aggregate) changes made to thefilesystem since last Shadow Copy

Literally allows entire filesystem or individualfiles or folders to be rolled back to a previousstate

Offline filesystem can be mounted as it existedat a previous date

Only takes a snapshot periodically (Win7:weekly), not continually. Enabled by default.

Typically limited to 15% of volume size


52/94

ShellBags: Another Great Registry Artifact

Windows explorer tracks in the registry whenyouve opened some folder and changed theway it appears on the desktop so it can be thesame next time you open it

Never cleaned up

Binary format

Registry keys include timestamp, so you can

tell a date when specified folder was accessed. Tracks external shares & removable media, so

you have a record of the folder structures onthem


53/94

ShellBags: Another Great Registry Artifact

Location (XP) NTUSER.DAT Hive HKU\*\Software\Microsoft\Shell\Bags HKU\*\Software\Microsoft\Shell\BagMRU HKU\*\Software\Microsoft\ShellNoRoam\Bags HKU\*\Software\Microsoft\ShellNoRoam\BagMRU

HKU\*\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU HKU\*\Software\Microsoft\Windows\CurrentVersion\Explor

er\RecentDocs

Location (Vista/7) USRCLASS.DAT Hive HKU\*\Software\Classes\Local

Settings\Software\Microsoft\Windows\Shell\Bags HKU\*\Software\Classes\Local

Settings\Software\Microsoft\Windows\Shell\BagMRU HKU\*\Software\Classes\Wow6432Node\Local

Settings\Software\Microsoft\Windows\Shell\Bags HKU\*\Software\Classes\Wow6432Node\Local

Settings\Software\Microsoft\Windows\Shell\BagMRU


54/94

Windows 7 Jump Lists

Custom Destinations \AppData\Roaming\Microsoft\Windows\R

ecent\CustomDestinations\.customDestinations-ms

File contains embedded .LNK files which can be

carved out, (LNK header is\x4c\x00\x00\x00\x01\x14\x02, file size is 4 bytesat offset 34h) and analyzed

Automatic Destinations \AppData\Roaming\Microsoft\Windows\R

ecent\AutomaticDestinations\.automaticDestinations-ms

Contained data is stored using Structured StorageFormat, and can be parsed using MiTeCs StructuredStorage Viewer, from which .LNK files can beexported directly


55/94

Windows 7 Jump Lists

Replaced the old Quick Launch toolbar from XP Allows user to pin a program to the taskbar for

similar functionality

Actual implementation substantially more

complicated, similar to & used like the old MyRecent Documents shortcuts. Recent Items in the Win7 start menu goes to a folder

that contains both shortcuts and Jump Lists

Another way to note opening or creation of files,or to identify previous existence of deleted orwiped files

Records file access for specific applications

Lists can contain up to several hundred items,

though only a few are shown


56/94

USB Device & Activity Information

Vendor

Model

Version

Capacity

Serial Number(most, but not all)

Last Drive Letter

Volume Name(filesystem)

Volume SerialNumber (filesystem)

First Use

First Use Since LastReboot

Last Use

Other usage

timestamps may bein restore points


57/94

USB Registry Keys & Values

HKLM\System\CurrentControlSet\Enum\USBSTOR Subkey named Disk&Ven_&Prod_&Rev_

Product name text may contain capacity and evencolor

Under this subkey is another named with thedevices unique serial number if any

If the device has no serial number (non-standardconformant), Windows will create one with an & asthe second character.

Under the serial number key is a value namedParentIdPrefix (Vista/7 only, used to link to otherdata)


58/94

When was USB device first connected?

Plug and Play Log Files

XP - %windir%\setupapi.log

Vista/7 -

%windir%\inf\setupapi.dev.log

Times in log are in the localtimezone for the host

Look for first entry for device serialnumber


59/94

Artifact Locations for IE (XP)

Bookmarks/Favorites

\Favorites

History (Hidden)

\Local Settings\History\History.IE5

Cache (Hidden)

\Local Settings\Temporary InternetFiles\ Content.IE5

Cookies

\Cookies

Downloads

< rofile>\Downloads59


60/94

Artifact Locations for IE (Vista/Win7)

Bookmarks/Favorites \Favorites

Cookies: \AppData\Roaming\Microsoft\Windows\Cookies \AppData\Roaming\Microsoft\Windows\Cookies\Low

History: (Hidden) \AppData\Local\Microsoft\Windows\History\History.

IE5 \AppData\Local\Microsoft\Windows\History\Low\His

tory.IE5

Cache: (Hidden)

\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5

\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\Low

Downloads \Downloads


61/94

A word about profile locations

Not always in C:\Documents and Settings Registry configurable default profile locations. Check

the following values

HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\ProfileList\ Default

Public

ProfilesDirectory

Builtin account profiles under %Windir% subfolders System: Windows\System32\Config (default=ntuser.dat)

System acct web artifacts = evidence of compromise


62/94

Index.dat Files

Binary format unchanged since IE 4 Different files use same name & format, but store

different data

Index.dat files exist in multiple places for tracking of:

History

Cookies

Cache Data

Difficult to remove because always locked, but IEsettings can clear entries

File Signature: Client UrlCache MMF Ver 5.2

Four byte file size starting at byte 2862


63/94

Index.dat Record Types

Four types of record are known (the nameof each is also its record signature)

URL - Indicate URIs that were actuallyrequested

REDR- Indicate browser was redirected toanother site

HASH - Hash indexes of the contents of the

index.dat file (not useful) LEAK Result of attempt to delete entry while

associated cache file is open (othermechanisms possible)

63


64/94

IE History

Designed for URL autocompletion

Tracks all user browsing history for last20 days by default

If browsing history set to 0 days, stillkept, but deleted on system shutdownor next day

Also tracks Explorer access to localfiles

For each URL or file, tracks last accesstimestamp & number of times accessed


65/94

Actual History Contents

Master index.dat file under History.IE5

Daily, Weekly, or (potentially) Monthlyindex.dat files under other folders

Folders are named according to the datespan covered by the contained file

After the 6th day, aggregate daily history

content is rolled up into a weekly file Actual files and folders cannot be seen

in Windows GUI on live system, but canfrom the command line using dir /a


66/94

Index.dat Record (URL History)

Offset Size Description

0 4 Signature/Magic Number(URL, REDR, HASH, LEAK)

4 4 # of 128 byte Blocks inrecord

8 8 LastModified FILETIME (URL)

16 8 LastAccessed FILETIME (URL)

66


67/94

IE Cache

Exists to speed up access by using previouslyobtained local copies of content which has notaltered since accessed

Not all entries are supposed to be cached

(SSL, no-store), but IE6 used to cache a lot ofcontent it shouldnt have

Also, the RFCs never formally stated SSLshould not be cached

Can include references to entries that havebeen removed in the meantime

Cleared entries are wiped more effectively byIE7 and later


68/94

A word about cache usage

Some RFCs & Microsoft specifications clearly definewhat is supposed to be cached RFC2616 (HTTP 1.1): cache-response-directive = no-

store

RFC1945 (HTTP 1.0): entries past expiration date not

cached (less clear) MS: INTERNET_FLAG_DONT_CACHE, or

INTERNET_FLAG_NO_CACHE_WRITE

Developers sometimes misinterpret the meaning of thespecifications

For instance, no-cache (http 1.1) and Pragma: no-cache (http 1.0) dont mean do not cache. Bothmean send request for content even if cached

Older browser versions were very bad at properlyinterpreting and enforcing these specifications becauseof this


69/94

Cache Artifacts

Index.dat file under Content.IE5 Semirandomly named subfolders

contain files with cached content

Contain entries for cacheable URLsvisited, each of which references a filethat may or may not still exist

Original filename with bracketed

instance number before .ext Folders added in groups of four (if

not, investigate why, could be datahiding location)

FYI Oth T I t t F ld


70/94

FYI: Other Temporary Internet Folders

Subfolders (Not thoroughly researched)

AntiPhishing

Content.MSO Not sure Local copyfrom external document linking in

Office? Content.Outlook Attachment files

opened directly in Outlook

Content.Word Tempfiles created whenWord used as editor for Outlook

OLK5432 Unknown

Others?


71/94

Index.dat Record (Cache URL)




8 8 LastModified FILETIME (URL)

16 8 LastAccessed FILETIME (URL) 24 4 Expiration FATTIME

92 4 Last Checked FATTIME

71


72/94

FATTIME

offset size value description

0 2 date

2 2 time

In little-endian the 16-bit date value corresponds to:

offset size value description

Bit 0 (LSB) 5 bits Day of the month

Bit 5 4 bits Month 0x01 => January

Bit 9 7 bits Year 0x00 => 1980

In little-endian the 16-bit time value corresponds to:offset size value description

Bit 0 (LSB) 5 bits Seconds in 2 second intervals

Bit 5 6 bits Minutes

Bit 11 5 bits Hours


73/94

IE Cookies

Cookies exist to add state information toweb browser sessions

Not all sites use them

Small text files (persistent cookies)

Session cookies in memory only

Included data:

Issuing website

Account on that site NTFS FILETIMEs

Website specific data in cookie

Some cookie data is encrypted & some is not


74/94

Index.dat Record (Cookie URL)




8 8 LastModified FILETIME (URL)(last changed by server)

16 8 LastAccessed FILETIME (URL)(last uploaded)

24 4 Expiration FATTIME

84 4 Hits (times uploaded)

92 4 Last Checked FATTIME 74

Sample Google Analytics Tracking Cookie


75/94

Sample Google Analytics Tracking Cookie

__utma (Timestamps in UNIX Epoch Time)

Contents similar toXXXX.RRRR.FFFF.PPPP.CCCC.N

XXXX Hash of clients domain

RRRR Random unique ID for client(this is what makes it a tracking cookie)

FFFF Date of first visit to site (probablyfollowing the last clear of cookies)

PPPP Timestamp of previous (last) visit CCCC Current timestamp

N Number of sessions since first visit(Incremented each time new session started

after first)


76/94

IE Downloads

Often saved to default locations XP default download folder defined by

registry valueHKCU\Software\Microsoft\Internet

Explorer\Download Directory Defaults to the users desktop

Vista/Win7 uses \Downloads\ asdefault

If file opened rather than saved, tempcopy created in IE cache folder, nevercleaned unless manually

IE9 has separate index.dat for downloads


77/94

IE Auto-Complete (other than history)

Typed URLs registry key maintains list oflast 25 URLs typed by the user

HKU\*\Software\Microsoft\InternetExplorer\Ty

pedURLs


78/94

IE Auto-Complete (other than history)

Protected Storage (IE4-6; Also used byOutlook Express & MSN Explorer) Form Autofill Field Data

Accounts & Passwords (Web, FTP,

Others)[checkbox] Encrypted on disk but not in memory. Trivial

to acquire from live system, & crackable froma dead one

(IE4-6) HKU\*\Software\Microsoft\ProtectedStorage System Provider\

(IE7+) HKU\*\Software\Microsoft\InternetExplorer\IntelliForms\Storage2 Encrypted But key is name of website


79/94

Changes in Vista/Win7

As mentioned previously, file locationshave changed

Protected Mode web browsing is

performed as an unprivileged user This is where the 2ndLow filename

comes from in the various file artifacts

There are two sets because not all

operations use Protected Mode

IE7-9 all support Protected Mode onVista/Win7


80/94

IE8/9 Automatic Crash Recovery

Complete activity tracking for current &previous session

Enabled by default (even in InPrivate Mode).Deleted (but often recoverable) when Historycleared

Information tracked: Tabs Open List of websites viewed in each tab, with referrers for

each Session end time Time each tab was opened (Only if a crash occurred

or if for some other reason files are still present inthe Active folder)

Code from the page Form data & Other artifacts


81/94

IE8/9 Crash Recovery Folders

XP (IE8 Only) \Local Settings\Application

Data\Microsoft\Internet Explorer\Recovery\Active \Local Settings\Application

Data\Microsoft\Internet Explorer\Recovery\LastActive

Vista/Win7 Current: \AppData\Local\Microsoft\Internet

Explorer\Recovery\Active Previous:

\AppData\Local\Microsoft\Internet

Explorer\Recovery\Last Active Files have .dat extension & are stored in

Structured Storage Format Like Jump Lists, can be examined using MiTeC

Structured Storage Viewer


82/94

IE8/9 Suggested Sites

Opt-in or out at install time Data located in

\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Low\SuggestedSites.dat

Tracks all sites visited to suggest similarones

Does not track local, HTTPS, or InPrivatebrowsing

Normally deleted when history is, butmay get out of sync. May not be handled

by 3rd party wiping utilities.


83/94

SuggestedSites.dat

Starts out 5M in size

Records Include in order:

URL of visited page (null terminated)

Title of visited page (null terminated)

URL of referring page (null terminated)

5 unknown bytes

Windows FILETIME when page visited

Could probably write a simple perl or python

script to parse

Unknown binary format, so view with a hex editor

Didnt test this myself. All direct data fromInternet sources


84/94

IE8/9 InPrivate (Porn) Browsing Mode

So whats left?

Recover deleted cache files

Session Recovery files (& deleted

session recovery files) Incompletely cleaned remnants from

index.dat

Network traffic or proxy logs

Data from memory if you can get it


85/94

IE Browser Helper Objects

A Browser Helper Object(BHO) is a DLLmodule designed as aplugin forMicrosoft'sInternet Explorerweb browserto provide addedfunctionality. BHOs were introduced in October1997 with the release ofversion 4 of Internet

Explorer. Most BHOs are loaded once by eachnew instance of Internet Explorer. However, inthe case ofWindows Explorer, a new instance islaunched for each window.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser HelperObjects\

Details of BHO under HKLM\SOFTWARE\Classes\CLSID\
http://en.wikipedia.org/wiki/Library_%28computer_science%29http://en.wikipedia.org/wiki/Module_%28programming%29http://en.wikipedia.org/wiki/Plug-in_%28computing%29http://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/Internet_Explorerhttp://en.wikipedia.org/wiki/Web_browserhttp://en.wikipedia.org/wiki/Internet_Explorer_4http://en.wikipedia.org/wiki/Windows_Explorerhttp://en.wikipedia.org/wiki/Windows_Explorerhttp://en.wikipedia.org/wiki/Internet_Explorer_4http://en.wikipedia.org/wiki/Web_browserhttp://en.wikipedia.org/wiki/Internet_Explorerhttp://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/Plug-in_%28computing%29http://en.wikipedia.org/wiki/Module_%28programming%29http://en.wikipedia.org/wiki/Library_%28computer_science%29


86/94

Flash Cookies/Local Shared Objects

Potentially much larger that regular cookies Not cleared when they are.

.SOL file extension

Usually stored in folders under: Vista/Win7:

\AppData\Roaming\Macromedia\FlashPlayer

XP: \Application Data\Macromedia\FlashPlayer

Sometimes found in other locations

Until recent updates, no easy way to clear


87/94

Java Downloads

Another separate application, butpotentially runs downloaded code

Applets are used as normal web content,

but sandbox escape is easy on oldversions, which are disturbingly common

Cache folder:

XP: \ApplicationData\Sun\Java\Deployment\cache\6.0

Vista/Win7:\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6


88/94

Java Downloads

IDX files in this cache are Javaapplet cache indexes

Included data:

Filename

URL downloaded from

IP of source host

last modified date downloaded date


89/94

IE8/9 DOM Storage

HTML 5.0 equivalent to Flash Cookies

Located in XML files and Index.datunder:

XP: \Local Settings\ApplicationData\Microsoft\InternetExplorer\DOMStore

Vista/Win7:\AppData\Local\Microsoft\Internet Explorer\DOMStore


90/94

Basic Types of Searching

Regular: Actually searches in realtimeafter search terms are defined

Indexed: Preprocesses data to extract

indexes of all strings, then uses theseindexes to optimize searching.

Implementations vary & frequently producefalse negatives (Examples: Nuix, Dtsearch,

EnCase, FTK) Much faster than regular searches once index

is constructed

A very useful tool, but not something to

depend on


91/94

Composing Search Terms

Always search for unicode as well asASCII. This is used in many places byWindows.

You may also want to use case-insensitive mode

Use regular expression syntax to filter outfalse positives for short keywords, to

match values that cant be expressed innormal ASCII, or to match abstractpatterns such as credit card numbers,

SSNs, or IP addresses


92/94

Regular Expressions

Exact supported syntax varies from tool to tool, but in general,the following primitives should work: . - match any single character [] Defines a character class, a list of characters inside the

brackets which will match in this character position (may containinclusive ranges such as a-z)

[^] Defines a negated character class, a list of characters

after the carat which will not match in this character position (maycontain inclusive ranges such as a-z) * - 0 or more repeats of the element in the preceding

position + - 1 or more repeats of the element in the preceding

position ? 0 or 1 repeats of the element in the preceding position

{m,n} - minimum of m or maximum of n repeats of the elementin the preceding position () - grouping of elements | - alternation of preceding and following elements

(either/or) \ - escape of a literal metacharacter such as any of the

following []-^*+?(){}\ in contexts where they would otherwise be

interpreted as specified above

Important Things Extractable from


93/94

Important Things Extractable from

Memory

Registry Keys & Values

Password Hashes

Process List

Loaded DLL lists for each process

Open net connections & sockets

Cmd.exe history


94/94

Questions?