chetan-mining_digital_evidence_in_microsoft_windows
TRANSCRIPT
Mining Digital Evidence in Microsoft Windows
– Answering Who, When, Why and How?
2
Agenda
CSI Computer Crime and Security Survey, 2007
What is Computer Forensics?
Laws of computer Forensics
10 Forensics avenues in Windows XP
3
A Quick CSI-FBI 2007 Survey Summary
The average annual loss in 2007 - $350,424 Average annual loss in the previous year - $168,000.
Not since the 2004 report have average losses been this high!46% of the overall respondents said that they had suffered a security incident.Almost one-fifth (18 percent) of those respondents who suffered one or more kinds of security incident further said they’d suffered a “targeted attack”Financial fraud - the source of the greatest financial losses.
4
CSI Computer Crime and Security Survey
Insider abuse of network access or e-mail - the most prevalent security problem – 59% percent of respondentsVirus incidents – 52% percent of respondentsDollar Amount Losses
Financial Fraud - $21,124,750Virus (Worms / Spyware) - $8,391,800Theft of Confidential Data - $5,685,000Insider abuse of resources - $2,889,700
Total losses for 2007 - $66,930,950
5
CSI Computer Crime and Security Survey
How many Incidents in the past twelve months?
6
Computer Forensics – the laws
First Law of Computer Forensics
There is evidence of every action.
Harlan Carvey’s Corollary :
Once you understand what actions or conditions create or modify an artifact, then the absence of that artifact is itself an artifact.
7
Tip of the “Digital” Iceberg
Data as seen by a casual observer using common tools (Explorer Window, cmd shell, web browser etc. )
Data as seen by Forensic Investigators using his sophisticated toolkit. May include deleted data, hidden data, unauthorized information and records of illegal activity!
Mining Windows XP
9
Windows XP – Market Share
92.69% of the people surfing the Web use Windows on PCs
Windows XP’s share - 79.32%Windows Vista – 7.38%
Source: http://marketshare.hitslink.com
10
10 Forensics avenues in Windows XP
NTFS attributes Registry Files PreFetch Files (.pf) Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) Restore Point Forensics
11
10 Forensics avenues in Windows XP
NTFS attributes Registry Files PreFetch Files (.pf) Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) Restore Point Forensics
12
Mining NTFS Attributes
MFT entry
13
Mining $logfile
$Logfile entry in the MFT contains the log of all file system transactionsThe deletion of a file leaves several entries in $LogfileIt is not unusual to find files that are no longer on the diskAlso shows that the file was used by the systemEncase $logfile parser Enscript
14
Mining NTFS timestamps
NTFS has four timestamps:Creation timeLast accessed timeLast written timeLast Modification time
Windows 64-Bit Time StampIt is an 8-byte string (64 bits), its most significant value is 01h, which is located at the far right of the string as it is stored in little endian.
The FN and SIA attributes
15
10 Forensics avenues in Windows XP
NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) System Restore Points
16
Windows Registry
Registry files are essentially databases containing information and settings for
HardwareSoftwareUsersPreferences
A registry hive is a group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data. In Windows 98, the registry files are named User.dat and System.dat. In Windows Millennium Edition, the registry files are named Classes.dat, User.dat, and System.dat. In Win XP, the registry files are available in C:\windows\system32\config folder
17
Mining Windows Registry
Multiple forensic avenues in the registry!System and User-specific settingsUserAssistMuiCacheMRU ListsProgramsCacheStreamMRUShellbagsUsbstorIE passwordsand many more!
Demo
18
10 Forensics avenues in Windows XP
NTFS attributes Registry Files Prefetch Files (.pf) Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) System Restore Points
19
The Prefetch feature
Microsoft created a Prefetch cache to improve boot and application launch time.
By caching commonly used applications the OS can determine to apportion system resources in anticipation that the user will access the application.
When an application is launched the system updates an entry in the path C:/Windows/Prefetch with the name of the application and a file extension (.pf).
20
The Prefetch feature
The file contains among other items the last time that the file was modified as a 64bit HEX value time, and increments an integer on how many times the application has been run. Analyze Prefetch –Mount Image Pro (MIP) + read-only image + WFA.exeDemo
21
Mining Prefetch – wfa.exe
22
10 Forensics avenues in Windows XP
NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) System Restore points
23
Print Spooler Files
On Windows XP, systems you would find these two files in the C:\Windows\System32\spool\Printers folder.
.SPL - The print job’s spooled data is contained in a spool file..SHD - The shadow file contains the job settings
24
PA Spool Viewer – view .shd files
Splview.exe - available at http://undocprint.printassociates.com
This tool allows you to view the metadata of the print job!
25
EMF Spool viewer – view .spl files
EMF Spool Viewer - available at http://www.codeproject.com/dotnet/EMFSpoolViewer/EMFSpoolViewer.zip This tool allows you to view the actual spooled pages!
26
10 Forensics avenues in Windows XP
NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) System Restore Points
27
Mining the Recycle bin
The INFO2 file contains records that correspond to each deleted file in the Recycle Bin;
each record contains the record number, the drive designator, the timestamp of when the file was moved to the Recycle Bin, the file size, file’s original name and full path, in both ASCII and Unicode.
Files sent to the Recycle Bin are maintained according to a specific naming convention
D<original drive letter of file><#>.<original extension>
Demo
28
10 Forensics avenues in Windows XP
NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) System Restore Points
29
Mining Thumbs.db
Thumbs.db contains cached thumbnails of the images in a folder.OLE embedded data present in the Thumbs.db fileIn many cases, the images may have been deleted from the directory but they may still be available in the thumbs.db cache!Tools:
EncaseWindows File AnalyzerAccessdata FTK
Demo
30
10 Forensics avenues in Windows XP
NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History File Shortcut files (.lnk) System Restore Points
31
Event Logs
Windows event logs provide crucial insight into the happenings in the systemUsing event logs in conjunction with other forensic avenue such a registry data (Userassist, Muicache, MRU Lists etc.) can help reconstructing the past events on the system. Three types of event logs:
ApplicationSystemSecurity
32
Mining event logs…
What the logs can tell u:Unsuccessful logon attempts Successful Privilege escalation attemptsSystem time was changedLogon time restriction violation Logon/logoff timesSuccessful/unsuccessful object access
Default Windows security settings is to log nothing at all!Unfortunately, event logs only record the Netbios name and not the IP address!Demo
33
10 Forensics avenues in Windows XP
NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files Shortcut files (.lnk) System Restore Points
34
Tracing Internet Activity
Internet Browsers leave detailed history on Hard drive which can show all sites visited and all graphics viewed.An individual's web browsing activity often provides investigative leads during most investigations.We can reconstruct an individual’s web browsing activity using sophisticated tools such as Encase, NetAnalysis and WebHistorianThe predominant two web browsers encountered during computer related investigations are
Microsoft's Internet Explorer (IE) and Firefox/Mozilla/Netscape family
35
Mining Internet Explorer
IE maintains rich logging of a user’s browsing activities which allow for creating a web profile of the suspect. IE has three separate logging facilities that can be used to reconstruct the suspect’s web browsing activities.
History of visited URLsCookiesTemporary Internet Files
In many cases, the web profiling has lead to successful conviction of pedophiles!
36
Mining Mozilla Firefox
Mozilla Firefox stores the Internet activity in the following folder:C:\Documents and Settings\<user name>\Application Data \Mozilla\Firefox\Profiles\<random text>\Cache
There are three types of files in this directory: A Cache Map File Three Cache Block Files Separate Cache Data Files
Demo
37
10 Forensics avenues in Windows XP
NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files Shortcut files (.lnk) System Restore Points
38
Mining shortcut files
Link files refer to or link to target files which can be applications, directories, documents, or data files.The data contained inside a link file describes the various attributes of the target file.A link file contains:
the complete path to the target file the volume label and volume serial number on which the target file or folder exists - this can be useful for connecting a file to a unique volume!the file’s size in bytes the MAC time stamps of the target file!!!
39
Mining shortcut files…
Media type (fixed/removable)Working directoryMAC addressRemote share name
May be found in unallocated clusters and swap spaceMay indicate that data was copied to a removable media!Encase link parser EnScriptWindows File AnalyzerDemo
40
10 Forensics avenues in Windows XP
NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files Shortcut files (.lnk) System Restore Points
41
The restore point feature
Rp.log is the restore point log file is located within the restore point (RPxx) directory.
This restore point log contains a value indicating the type of the restore point, a descriptive name for the restore point creation event (i.e, application or device driver installation, application uninstall etc. )the 64-bit FILETIME object indicating when the restore point was created
42
The restore point feature
Change.log.x files Record changes to key application filesWhen a change is detected, the original filename is entered into the change.log file along with a sequence number and other necessary information,such as the type of change that occurred (file deletion, change of file attributes, or change of content).Sometimes the entire file may be preserved (Axxxxxx.ext format)!Each change.log.x file consists of a number of change log records
Ref: Windows Forensic Analysis by Harlan Carvey
43
Mining restore points
What restore points can tell:
Installation or removal of an applicationChanges to the system timeRemnants of deleted/uninstalled applicationsRemnants of deleted filesEvidence of files being accessed in the past
Demo
44
Queries are welcome!