cns 320 week9 lecture
TRANSCRIPT
-
7/22/2019 CNS 320 Week9 Lecture
1/73
1
CNS 320 COMPUTER
FORENSICS & INCIDENTRESPONSE
Week 9 Lecture
Copyright 2012, John McCash. This work may be copied, modified, displayed anddistributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nc/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/ -
7/22/2019 CNS 320 Week9 Lecture
2/73
Any questions before the Quiz?
2
-
7/22/2019 CNS 320 Week9 Lecture
3/73
Final Exam Next Week
No notes
Covers material from beginning
through lecture #8 Well review tonight after I get
through the new material
No lab today because of the missedclass period due to the MemorialDay holiday
3
-
7/22/2019 CNS 320 Week9 Lecture
4/73
New Material This Week
Other Browsers
Firefox
Google Chrome Safari (in passing)
4
-
7/22/2019 CNS 320 Week9 Lecture
5/73
Firefox
Numerous versions, especiallyrecently
Major changes to forensic artifactsoccurred between version 2 and 3,which was released in June of 2008
We will primarily concern ourselves
with pre 3.0 and 3.0+ versions
-
7/22/2019 CNS 320 Week9 Lecture
6/73
Firefox Artifacts
History
Cache
Cookies
Bookmarks/Favorites
No usage of the registry. All artifacts stored
in files, mostly using complex databaseformats.
-
7/22/2019 CNS 320 Week9 Lecture
7/73
Firefox File Locations (non-cache)
XP: \ApplicationData\Mozilla\Firefox\Profiles\
Vista/Win7:\AppData\Roaming\Mozilla\Firefox\Profiles\
-
7/22/2019 CNS 320 Week9 Lecture
8/73
Firefox File Locations (cache)
XP: \Local Settings\ApplicationData\Mozilla\Firefox\Profiles\\Cache
Vista/Win7:\AppData\Local\Mozilla\Firefox\Profiles\\Cache
-
7/22/2019 CNS 320 Week9 Lecture
9/73
Firefox Version Determination
If less than 3.0, there will be no .sqlitefiles in the Firefox profile folder
Exact version can be determined by
examining prefs.js in the Forefox profilefolder for the line setting the valuenamed extensions.lastAppVersion
Example: user_pref("extensions.lastPlatformVersion", "9.0.1");
-
7/22/2019 CNS 320 Week9 Lecture
10/73
Firefox Profiles Before Version 3
History files stored using Mork format(Obscure text-based DB) history.dat
formhistory.dat
Bookmarks stored in HTML bookmarks.html
Cookies & Downloads stored as text
cookies.txt downloads.rdf
Cache references are stored in a complexdatabase, and some actual cache data is
stored in a binary format
-
7/22/2019 CNS 320 Week9 Lecture
11/73
Firefox History Before Version 3
MORK Field Names
Complete URL: URL
Page Title: Name
First Visited: FirstVisitDate
Last Visited: LastVisitData
# of times site visited: VisitCount
Whether URL was typed: Typed
Page retrieved w/o user action?: Hidden
Referring Page: Referrer
-
7/22/2019 CNS 320 Week9 Lecture
12/73
Firefox Cookies Before Version 3
Data stored in tabbed columns in Cookies.txt
(one row per cookie)
Col1: website domain
Col2: accessible by other parts of website? Col3: webserver directory path
Col4: HTTPS?
Col5: Expiration date (Unix epoch time)
Col6: cookie name
Col7: values/preferences stored
-
7/22/2019 CNS 320 Week9 Lecture
13/73
Pre Firefox 3 Cookie Example .youtube.com TRUE / FALSE 1317674985 __utma
27069237.1816673280909886200.1243093244.1253991722.1254602985.13
.youtube.com TRUE / FALSE 1276028394VISITOR_INFO1_LIVE N2Xmi-uMhTo
.youtube.com TRUE / FALSE 1306165239 __utmx
27069237.00004945564262247550:3:0-0-10 .youtube.com TRUE / FALSE 1306165239
__utmxx27069237.00004945564262247550:1243093239:2592000
.youtube.com TRUE / FALSE 1258861243 __utmz27069237.1243093244.1.1.utmcsr=(direct)|utmccn=(direct
)|utmcmd=(none) .youtube.com TRUE / FALSE 1520356702
LOCALE_PREFERENCE86d1d09eefe6b79b4068000ce05518a4dAUAAABlbl9VUw==
BTW, important note, you should be able to recognize the format ofthat last entry. Its called Base64, and sometimes it translates to
interesting values.
-
7/22/2019 CNS 320 Week9 Lecture
14/73
Useful online format translator
http://home.paulschou.net/tools/xlate/
Text Binary
Hex
Decimal
Base64
ASCII
Hash
http://home.paulschou.net/tools/xlate/http://home.paulschou.net/tools/xlate/ -
7/22/2019 CNS 320 Week9 Lecture
15/73
Firefox 2 DOM Storage
Supposedly supported
I dont think it used sqlite
Cant find further information
-
7/22/2019 CNS 320 Week9 Lecture
16/73
Firefox Cache (All Versions)
Folder Structure:
_CACHE_MAP_: Master tracking file for cache
_CACHE_###_: Cache block files. Primary
storage locations ########: (8 character hex number) Data
files which store entries too large to fit withina cache block file
Data files stored with content encoding(deflate or gzip) intact, unlike IE oftencan carve from unallocated
-
7/22/2019 CNS 320 Week9 Lecture
17/73
Pre Firefox 3 Bookmarks
Found in bookmarks.html. Sample entry:
Cascading Style
Sheets, level 2 revision 1
URL, bookmark add and last modify dates,
and page title noted in bold
-
7/22/2019 CNS 320 Week9 Lecture
18/73
Pre Firefox 3 Bookmark Backups
Stored in bookmarkbackups subfolder
Up to 5 copies, one per day
Filename: bookmarks-.html
Copies of bookmarks.html
-
7/22/2019 CNS 320 Week9 Lecture
19/73
Pre Firefox 3 Download History
XML fields in downloads.rdf:
Name: Downloaded file name
URL: Download URL
File: Save location DateStarted: Time download started
DateEnded: Time download ended
DownloadState: Successful?
Times are in local system timezone
Default download folder is users desktop
Settable via browser.download.dir in prefs.js
-
7/22/2019 CNS 320 Week9 Lecture
20/73
Pre Firefox 3 Form Autocomplete
Mork field from formhistory.dat
Name: Name of the field for which data wasentered
Value: Data entered into the form field
-
7/22/2019 CNS 320 Week9 Lecture
21/73
Firefox Session Restore (all versions)
Data found in sessionstore.js:
Open windows
Window screen positions & sizes
Scroll positions Tab history
Cookies
Form Data
Restartable failed file downloads
File is deleted on normal exit
-
7/22/2019 CNS 320 Week9 Lecture
22/73
Firefox Privacy Options
By default, FF1-3 keeps 90 days ofhistory
FF4+ dynamically determines amount of
saved history based on systemresources. (could be more)
Lots of options for controlling whatsretained and whats automatically deletedon a very granular basis
These are stored in prefs.js
Its also easy to selectively delete sites
from the collected history
-
7/22/2019 CNS 320 Week9 Lecture
23/73
Firefox Privacy Settings (10.0)
-
7/22/2019 CNS 320 Week9 Lecture
24/73
Right-Click Forget about this site
Option in History View
-
7/22/2019 CNS 320 Week9 Lecture
25/73
Clear Recent History Options
-
7/22/2019 CNS 320 Week9 Lecture
26/73
Signs of Cleared History
To clear DOM Storage, user must selectboth Cookies and Everything
Record ID numbers in SQLite assigned
sequentially, so selective deletion willleave gaps.
Selective site history deletion causesentire browser cache to be deleted
-
7/22/2019 CNS 320 Week9 Lecture
27/73
Private Browsing (Porn) Mode
Solid implementation
Protects History, Search History,Download History, Form Data, Cookies, &
Cache Data Bookmarks arent protected, & neither
(because theyre filesystem artifacts) arefiles that are actually downloaded
Only known ways to recover most of thisdata involves carving from unallocated ormemory
-
7/22/2019 CNS 320 Week9 Lecture
28/73
Recovering Deleted Firefox Artifacts
SQLite is known for the frequency withwhich it creates temporary files
Even if there are no browser artifacts still
in allocated space, odds are very goodthat there are fragments scattered allacross unallocated
Its also very possible that some of thesefiles may be intact SQLite database files
-
7/22/2019 CNS 320 Week9 Lecture
29/73
SQLite Database File Format
File begins with the magic number,SQLite format 3\000 (the \000 isactually a single null)
At offset 16 is a 2 byte quantity, thepower of 2 that represents the databasepage size in bytes (or 1, which isinterpreted as a page size of 65536)
At offset 28 is another 4 byte quantity,the size of the database file in pages
This data should make it relativelysimple to carve the file out of
unallocated space
-
7/22/2019 CNS 320 Week9 Lecture
30/73
Firefox 3+ Profiles
Most Firefix 3+ data is stored in SQLite dbformat
History, Bookmarks, Autocomplete:
places.sqlite Download History: downloads.sqlite
Form Autocomplete: formhistory.sqlite
Cookies: cookies.sqlite
Usernames & Passwords: signons.sqlite (3.5+)
DOM Storage: webappstore2.sqlite
Cache mechanism unchanged from Ver. 2
-
7/22/2019 CNS 320 Week9 Lecture
31/73
Firefox History Version 3+
SQLite Field Names
Complete URL: URL
Page Title: title
Date Visited: visit_date (all tracked) # of times site visited: visit_count
Whether URL was typed: typed
Page retrieved w/o user action?: hidden Referring Page: from_visit
Type of visit (New field see next slide):visit_type
-
7/22/2019 CNS 320 Week9 Lecture
32/73
Firefox History Visit Types
1. Link Clicked
2. URL Typed
3. Bookmark Used4. Loaded as content within a page
5. HTTP 301 Permanent Redirect
6. HTTP 302 Temporary redirect7. Non-HTML File Downloaded
-
7/22/2019 CNS 320 Week9 Lecture
33/73
Firefox 3+ Cookies
SQLite Field Names from Cookies.sqlite: host: website domain
pathmain: webserver directory path for whichcookie is valid
isSecure: HTTPS?
expiry: Expiration date
name : cookie name
value: values/preferences stored
lastAccessed: Date website last accessedcookie
id (FF3): Created date? (one reference)
creationTime (FF4+): Created date
-
7/22/2019 CNS 320 Week9 Lecture
34/73
Firefox 3+ DOM Storage
SQLite Field Names from webappstore2 tablein webappstore.sqlite:
scope: Site name, http/https, port
key: Value name
value: Value contents
secure: HTTPS Required?
owner: Not populated in my testing
Another reference claims this data issometimes found in webappstore2.sqliteinstead
-
7/22/2019 CNS 320 Week9 Lecture
35/73
Firefox 3+ Bookmarks
Found in the moz_bookmarks tablein places.sqlite
-
7/22/2019 CNS 320 Week9 Lecture
36/73
Firefox 3+ Bookmark Backups
Stored in bookmarkbackups subfolder
Up to 10 copies, one per day (F3 onlystored up to 5)
Filename: bookmarks-.json Javascript Object Notation (JSON) format
Text-based, and contains references to
the same field names as in places.sqlite Bookmarks.bak may also exist. Unclear
under what circumstances it gets created
-
7/22/2019 CNS 320 Week9 Lecture
37/73
Firefox 3+ Download History
SQLite fields in downloads.sqlite name: Name of downloaded file
mimeType: File type of downloaded file
source: Download URL
referrer: Referring URL
target: Save location
preferredApplication: Application used toopen file
startTime: Time download started
endTime: Time download ended
maxBytes: Size of download
state: Successful?
-
7/22/2019 CNS 320 Week9 Lecture
38/73
Firefox 3+ Form Autocomplete
SQLite field from formhistory.sqlite fieldname: Name of the field for which data
was entered
value: Data entered into the form field timesUsed: # of times value has been
entered
firstUsed: Time data first typed (PRTime)
lastUsed: Time data last used (PRTime)
-
7/22/2019 CNS 320 Week9 Lecture
39/73
Google Chrome
File Locations: According to Digital Forensics with Open
Source Tools:
XP: \Local Settings\ApplicationData\Google\Chrome\default
Vista/Win7:\AppData\Local\Google\Chrome\default
Folders installed by current version of
Chrome: XP: \Local Settings\Application
Data\Google\Chrome\User Data\Default
Vista/Win7:
\AppData\Local\Google\Chrome\default
http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597495868http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597495868http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597495868http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597495868http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597495868 -
7/22/2019 CNS 320 Week9 Lecture
40/73
Chrome Initial Data
Initial history & cookie data appearsto have been silently imported fromother browsers when Chrome wasinstalled
-
7/22/2019 CNS 320 Week9 Lecture
41/73
Subfolders of Chrome Default Folder
Cache
Extensions
Local Storage User Stylesheets
-
7/22/2019 CNS 320 Week9 Lecture
42/73
SQLite Database Files in Chrome
Default Folder
Archived History
Cookies
Favicons
History
History Index ####-## (year-month)
Login Data
Network Action Predictor
Shortcuts
Top Sites
Web Data
-
7/22/2019 CNS 320 Week9 Lecture
43/73
Non-SQLite Files in Chrome
Default Folder
Bookmarks (JSON)
Bookmarks.bak (JSON)
Current Session (SNSS)
Current Tabs (SNSS)
History Provider Cache (Protocol buffers)
Last Session (SNSS)
Last Tabs (SNSS)
Preferences (JSON)
Visited Links (unknown binary format)
-
7/22/2019 CNS 320 Week9 Lecture
44/73
Bookmarks (Legacy? Same data
appears in Shortcuts SQLite DB)
JSON Mostly human readable
{ "date_added": "12974427976796875","id": "4", "name": "Google", "type": "url",
"url": "http://www.google.com/" }, Dates can be converted using Dcode.exe
(Chrome Time)
ID is order in which entry appears. First three are usually default folders
Bookmark Bar, Other Bookmarks, MobileBookmarks
-
7/22/2019 CNS 320 Week9 Lecture
45/73
History Provider Cache In Protocol Buffers format
Download Protocol Buffers compiler Protoc --decode_raw < History Provider Cache > out.txt
Some extracted values will resemble2 {
1: 126
2: 03: 04: 129742121860000005:
"file:///C:/Documents%20and%20Settings/John%20McCash/Local%20Settings/Temp/rninst~0/ui_data/pages/progres
s/index.html?distcode=R71RR1&prod=RealPlayer&ver=15.0&li=en&oem=rp15_
en_us&loc=us"6: "RealNetworks"
}
Long number decodes (via dcode.exe, chrome time) to date
Note: I visited this site two days before installing Chrome!
-
7/22/2019 CNS 320 Week9 Lecture
46/73
Visited Links
Unknown binary format, but as source isonline, should be relativelystraightforward to determine
However I dont know of anyone whosdone it
Not entirely sure whats supposed to bestored in here
Name strongly suggests that it can beforensically useful
-
7/22/2019 CNS 320 Week9 Lecture
47/73
Session Restore
Files (Binary unknown format, but opensource)
Current Session (SNSS)
Current Tabs (SNSS) Last Session (SNSS)
Last Tabs (SNSS)
Tabs files can be parsed by a javascript
application designed to run within chrome
http://metgate.org/chrome-session-restore/
Complete session history can probably be
recovered from session files
-
7/22/2019 CNS 320 Week9 Lecture
48/73
Chrome History
SQLite tables in History file: downloads
presentation
urls keyword_search_terms
segment_usage
visits
meta
segments
-
7/22/2019 CNS 320 Week9 Lecture
49/73
History SQLite Fields
Fields from downloads
Id, full_path (file saved), url (string),start_time, received_bytes, total_bytes, state(verified complete?), end_time, opened
Fields from urls
Id, url (string), title, visit_count, typed_count,tast_visit_time, hidden, favicon_id
Fields from visits
Id, url (table reference), visit_time, from_visit(referrer), transition, segment_id, is_indexed
-
7/22/2019 CNS 320 Week9 Lecture
50/73
Chrome History URLs SQLite Table
-
7/22/2019 CNS 320 Week9 Lecture
51/73
History Index ####-## SQLite Tables
Info Fields: rowid, time
Pages_content
Fields: docid (ref to rowid above), c0url (urlstring), c1title (page title), c2body
Pages_segdir (looks like cache data?)
Fields: level, idx, start_block,
leaves_end_block, root
Pages_segments (looks like cache data?)
Fields: blockid, block
-
7/22/2019 CNS 320 Week9 Lecture
52/73
Chrome Cookies
Cookie Table SQLite Fields
Creation_utc, host_key, name, value,path, expires_utc, secure, httponly,
last_access_utc, has_expires,persistent
-
7/22/2019 CNS 320 Week9 Lecture
53/73
Cookies SQLite Table
-
7/22/2019 CNS 320 Week9 Lecture
54/73
Favicon
Favicon SQLite Fields
Id, url (string), last_updated,image_data (can be saved out as
.png), icon_type, sizes
-
7/22/2019 CNS 320 Week9 Lecture
55/73
Login Data
Logins SQLite Table Fields: origin_url, action_url,
username_element, username_value,password_element, password_value,
submit_element, signon_realm, ssl_valid,preferred, date_created,blacklisted_by_user, scheme
-
7/22/2019 CNS 320 Week9 Lecture
56/73
Network Action Predictor SQLite DB
Stuff the user typed, Chromesguess what he meant, and whetherit was correct
Network action predictor table
Fields: id, user_text, url,number_of_hits, number_of_misses
-
7/22/2019 CNS 320 Week9 Lecture
57/73
Shortcuts SQLite DB
Omni_box_shortcuts table
Fields: id, text, url, contents,contents_class, description (page
title), description_class,last_access_time, number_of_hits
-
7/22/2019 CNS 320 Week9 Lecture
58/73
Top Sites SQLite DB
Thumbnails table
Fields: url, url_rank, title, thumbnail(can be saved out as png), redirects,
boring_score, good_clipping, at_top,last_updated, load_completed
-
7/22/2019 CNS 320 Week9 Lecture
59/73
Chrome Form Autofill
Web Data SQLite File Contains 17 tables
Between them, over 100 fields
A number of timestamps On any case involving somebody whos used
Chrome extensively over a long period oftime, there will probably be something useful
in here somewhere
-
7/22/2019 CNS 320 Week9 Lecture
60/73
Chrome Cache
Cache folder contains One index file
Multiple (at least 4) cache data files, namedData_# Initial data files are optimized to store small
blocks of data.
When size of item to cache exceeds 16KB, itemis stored in its own file named f_######
Every piece of data stored by the cache has a
given 4 Byte cache address. These include: Cache Entry
HTTP Headers
Request Data
Entry Name (key)
Aux Info
-
7/22/2019 CNS 320 Week9 Lecture
61/73
Chrome HTML 5 Local Storage
Multiple SQLite databases in theLocal Storage subfolder
chrome-
extension_lifbcibllhkdhoafpjfnlhfpfgnpldfl_0.localstorage
http__0.localstorage
https__0.localstorage
-
7/22/2019 CNS 320 Week9 Lecture
62/73
Browser Forensics Tools
Mandiant Web Historian Browser support
Internet Explorer
Firefox
Chrome Safari
Artifacts History
Cache (including Chrome thumbnails & indexedpage content)
Cookies
Form History
Note: Weve covered more artifacts than this!
-
7/22/2019 CNS 320 Week9 Lecture
63/73
Mandiant Web Historian
Web History Fields
Firefox Chrome Internet Explorer URL X X X PageTitle X X X HostName X Hidden X X
Typed X LastVisitDate X X X LastVisitDateLocal X* VisitFrom X X VisitType X X Redirect or URL VisitCount X X FirstBookmarkDate X Thumbnail X IndexedContent X
M di W b Hi i
-
7/22/2019 CNS 320 Week9 Lecture
64/73
Mandiant Web Historian
Cookie History Fields
Firefox Chrome Internet Explorer HostName X X CookiePath X X X CookieName X X X CookieValue X X X
IsSecure X X IsHttpOnly X X LastAccessedDate X X X ExpirationDate X X X CreationDate X X FileName X FilePath X CookieFlags X LastModifiedDate X
M di t W b Hi t i
-
7/22/2019 CNS 320 Week9 Lecture
65/73
Mandiant Web Historian
Download History Fields (includes cache)
Firefox Chrome Internet Explorer DownloadType ManualManualAuto
Auto IE LeakAuto IE Redirect
FileName X X X SourceURL X X X TargetDirectory X X X
TemporaryPath X Referrer X MimeType X StartDate X X EndDate X State X X BytesDownloaded X X X
MaxBytes X X X AutoResume X FullHttpHeader X LastAccessedDate X LastModifiedDate X CacheFlags X CacheHitCount X
LastCheckedDate X
M di t W b Hi t i
-
7/22/2019 CNS 320 Week9 Lecture
66/73
Mandiant Web Historian
Form History Fields
Firefox Chrome Internet Explorer FormType Login Login N/A
or Normal or Normal FormFieldName X N/A FormFieldValue X N/A UsernameFieldName X X N/A PasswordFieldName X X N/A HostName X N/A HttpRealm X X N/A FormSubmitURL X X N/A UsernameFieldValue X X N/A
EncryptedPassword X X N/A EncryptionType X X N/A FirstUsedDate X N/A LastUsedDate X N/A TimesUsed X N/A Guid X N/A CreationDate X N/A
Ni ft T l (Si l tiliti
-
7/22/2019 CNS 320 Week9 Lecture
67/73
Nirsoft Tools (Single purpose utilities.
Frequently updated, well designed.)
IECookiesView IEHistoryView
IECacheView
MozillaCookiesView
MozillaHistoryView
MozillaCacheView
OperaCacheView
ChromeCacheView
ChromeHistoryView
SafariHistoryView SafariCacheView
FavoritesView (Firefox & Internet Explorer)
FlashCookiesView
FireFoxDownloadsView
-
7/22/2019 CNS 320 Week9 Lecture
68/73
SQLite Tools
SQLite Manager Firefox plugin(newer, better)
SQLite Database Browser (old)
-
7/22/2019 CNS 320 Week9 Lecture
69/73
Foundstone DumpAutoComplete
Command line tool
Produces XML output
Works with all Firefox Versions, butonly extracts from formhistory files,not places.sqlite
The moz_inputhistory table in
places.sqlite maintains autocompletedata for the URL location bar
-
7/22/2019 CNS 320 Week9 Lecture
70/73
FoxAnalysis (free version only for FF3+)
Artifacts:
History
Bookmarks
Cookies
Downloads
Form History
Doesnt do cache
W
-
7/22/2019 CNS 320 Week9 Lecture
71/73
Woanware
Firefoxsessionstoreextractor
Extracts information from sessionstore.js
URLs
Page Titles
Cookies & values Tabs
Form Data
Referrer
Scroll Data
Cmdline Only
-
7/22/2019 CNS 320 Week9 Lecture
72/73
Archive Formats
File Headers/Magic Numbers (PK)Zip: 50 4B 03 04 [PK..] Gzip: 1F 8B 08
(PK)Zip files have size in file footer. Find hex signature 50 4B 05 06 (end of central
directory structure) At offset 12 from this is the 4 byte size of the central
directory structure At offset 16 is the 4 byte offset from the start of
archive of the central directory structure Add these two sizes and search backwards from the
beginning of the end of central directory structurethat many bytes, and you should see 50 4B 03 04,which is the beginning of the archive
At offset 20 is a 2 byte size, followed by that many
additional bytes. Thats the end of the archive.
-
7/22/2019 CNS 320 Week9 Lecture
73/73
Questions?