Mining Digital Evidence in Microsoft Windows
Download
Report
Transcript Mining Digital Evidence in Microsoft Windows
Mining Digital Evidence in
Microsoft Windows
– Answering Who, When, Why and
How?
Agenda
CSI Computer Crime and Security Survey,
2007
What is Computer Forensics?
Laws of computer Forensics
10 Forensics avenues in Windows XP
2
A Quick CSI-FBI 2007 Survey Summary
The average annual loss in 2007 - $350,424
Average annual loss in the previous year $168,000.
Not since the 2004 report have average
losses been this high!
46% of the overall respondents said that
they had suffered a security incident.
Almost one-fifth (18 percent) of those
respondents who suffered one or more kinds
of security incident further said they’d
suffered a “targeted attack”
Financial fraud - the source of the greatest
financial losses.
3
CSI Computer Crime and Security Survey
Insider abuse of network access or e-mail the most prevalent security problem – 59%
percent of respondents
Virus incidents – 52% percent of
respondents
Dollar Amount Losses
Financial Fraud - $21,124,750
Virus (Worms / Spyware) - $8,391,800
Theft of Confidential Data - $5,685,000
Insider abuse of resources - $2,889,700
Total losses for 2007 - $66,930,950
4
CSI Computer Crime and Security Survey
How many Incidents in the past twelve
months?
5
Computer Forensics – the laws
First Law of Computer Forensics
There is evidence of every action.
Harlan Carvey’s Corollary :
Once you understand what actions or
conditions create or modify an artifact, then
the absence of that artifact is itself an
artifact.
6
Tip of the “Digital” Iceberg
Data as seen by a casual observer
using common tools (Explorer Window,
cmd shell, web browser etc. )
Data as seen by Forensic
Investigators using his
sophisticated toolkit. May include
deleted data, hidden data,
unauthorized information and
records of illegal activity!
7
Mining Windows XP
Windows XP – Market Share
92.69% of the people surfing the Web use
Windows on PCs
Windows XP’s share - 79.32%
Windows Vista – 7.38%
Source: http://marketshare.hitslink.com
9
10 Forensics avenues in Windows XP
NTFS attributes
Registry Files
PreFetch Files (.pf)
Spooler Files
Recycle Bin info2 records
Thumbs.db
Event Logs (.evt)
Internet History Files (.dat)
Shortcut files (.lnk)
Restore Point Forensics
10
10 Forensics avenues in Windows XP
NTFS attributes
Registry Files
PreFetch Files (.pf)
Spooler Files
Recycle Bin info2 records
Thumbs.db
Event Logs (.evt)
Internet History Files (.dat)
Shortcut files (.lnk)
Restore Point Forensics
11
Mining NTFS Attributes
MFT entry
12
Mining $logfile
$Logfile entry in the MFT contains the log of
all file system transactions
The deletion of a file leaves several entries in
$Logfile
It is not unusual to find files that are no
longer on the disk
Also shows that the file was used by the
system
Encase $logfile parser Enscript
13
Mining NTFS timestamps
NTFS has four timestamps:
Creation time
Last accessed time
Last written time
Last Modification time
Windows 64-Bit Time Stamp
It is an 8-byte string (64 bits),
its most significant value is 01h, which is
located at the far right of the string as it is
stored in little endian.
The FN and SIA attributes
14
10 Forensics avenues in Windows XP
NTFS attributes
Registry Files
PreFetch Files (.pf)
Print Spooler Files
Recycle Bin info2 records
Thumbs.db
Event Logs (.evt)
Internet History Files (.dat)
Shortcut files (.lnk)
System Restore Points
15
Windows Registry
Registry files are essentially databases containing information and
settings for
Hardware
Software
Users
Preferences
A registry hive is a group of keys, subkeys, and values in the
registry that has a set of supporting files containing backups of its
data.
In Windows 98, the registry files are named User.dat and
System.dat.
In Windows Millennium Edition, the registry files are named
Classes.dat, User.dat, and System.dat.
In Win XP, the registry files are available in
C:\windows\system32\config folder
16
Mining Windows Registry
Multiple forensic avenues in the registry!
System and User-specific settings
UserAssist
MuiCache
MRU Lists
ProgramsCache
StreamMRU
Shellbags
Usbstor
IE passwords
and many more!
Demo
17
10 Forensics avenues in Windows XP
NTFS attributes
Registry Files
Prefetch Files (.pf)
Spooler Files
Recycle Bin info2 records
Thumbs.db
Event Logs (.evt)
Internet History Files (.dat)
Shortcut files (.lnk)
System Restore Points
18
The Prefetch feature
Microsoft created a Prefetch cache to
improve boot and application launch time.
By caching commonly used applications the
OS can determine to apportion system
resources in anticipation that the user will
access the application.
When an application is launched the system
updates an entry in the path
C:/Windows/Prefetch with the name of the
application and a file extension (.pf).
19
The Prefetch feature
The file contains among other items the last
time that the file was modified as a 64bit HEX
value time, and increments an integer on
how many times the application has been
run.
Analyze Prefetch –
Mount Image Pro (MIP) + read-only image +
WFA.exe
Demo
20
Mining Prefetch – wfa.exe
21
10 Forensics avenues in Windows XP
NTFS attributes
Registry Files
PreFetch Files (.pf)
Print Spooler Files
Recycle Bin info2 records
Thumbs.db
Event Logs (.evt)
Internet History Files (.dat)
Shortcut files (.lnk)
System Restore points
22
Print Spooler Files
On Windows XP, systems you would find
these two files in the
C:\Windows\System32\spool\Printers
folder.
.SPL - The print job’s spooled data is
contained in a spool file.
.SHD - The shadow file contains the job
settings
23
PA Spool Viewer – view .shd files
Splview.exe available at
http://undocprint.pri
ntassociates.com
This tool allows you to
view the metadata of
the print job!
24
EMF Spool viewer – view .spl files
EMF Spool Viewer available at
http://www.codeproje
ct.com/dotnet/EMFSp
oolViewer/EMFSpoolVi
ewer.zip
This tool allows you to
view the actual
spooled pages!
25
10 Forensics avenues in Windows XP
NTFS attributes
Registry Files
PreFetch Files (.pf)
Print Spooler Files
Recycle Bin info2 records
Thumbs.db
Event Logs (.evt)
Internet History Files (.dat)
Shortcut files (.lnk)
System Restore Points
26
Mining the Recycle bin
The INFO2 file contains records that correspond to
each deleted file in the Recycle Bin;
each record contains the record number,
the drive designator,
the timestamp of when the file was moved to the
Recycle Bin,
the file size,
file’s original name and full path, in both ASCII and
Unicode.
Files sent to the Recycle Bin are maintained
according to a specific naming convention
D<original drive letter of file><#>.<original extension>
Demo
27
10 Forensics avenues in Windows XP
NTFS attributes
Registry Files
PreFetch Files (.pf)
Print Spooler Files
Recycle Bin info2 records
Thumbs.db
Event Logs (.evt)
Internet History Files (.dat)
Shortcut files (.lnk)
System Restore Points
28
Mining Thumbs.db
Thumbs.db contains cached thumbnails of
the images in a folder.
OLE embedded data present in the
Thumbs.db file
In many cases, the images may have been
deleted from the directory but they may still
be available in the thumbs.db cache!
Tools:
Encase
Windows File Analyzer
Accessdata FTK
Demo
29
10 Forensics avenues in Windows XP
NTFS attributes
Registry Files
PreFetch Files (.pf)
Print Spooler Files
Recycle Bin info2 records
Thumbs.db
Event Logs (.evt)
Internet History File
Shortcut files (.lnk)
System Restore Points
30
Event Logs
Windows event logs provide crucial insight
into the happenings in the system
Using event logs in conjunction with other
forensic avenue such a registry data
(Userassist, Muicache, MRU Lists etc.) can
help reconstructing the past events on the
system.
Three types of event logs:
Application
System
Security
31
Mining event logs…
What the logs can tell u:
Unsuccessful logon attempts
Successful Privilege escalation attempts
System time was changed
Logon time restriction violation
Logon/logoff times
Successful/unsuccessful object access
Default Windows security settings is to log
nothing at all!
Unfortunately, event logs only record the
Netbios name and not the IP address!
Demo
32
10 Forensics avenues in Windows XP
NTFS attributes
Registry Files
PreFetch Files (.pf)
Print Spooler Files
Recycle Bin info2 records
Thumbs.db
Event Logs (.evt)
Internet History Files
Shortcut files (.lnk)
System Restore Points
33
Tracing Internet Activity
Internet Browsers leave detailed history on
Hard drive which can show all sites visited
and all graphics viewed.
An individual's web browsing activity often
provides investigative leads during most
investigations.
We can reconstruct an individual’s web
browsing activity using sophisticated tools
such as Encase, NetAnalysis and
WebHistorian
The predominant two web browsers
encountered during computer related
investigations are
Microsoft's Internet Explorer (IE) and
Firefox/Mozilla/Netscape family
34
Mining Internet Explorer
IE maintains rich logging of a user’s browsing
activities which allow for creating a web profile of
the suspect.
IE has three separate logging facilities that can be
used to reconstruct the suspect’s web browsing
activities.
History of visited URLs
Cookies
Temporary Internet Files
In many cases, the web profiling has lead to
successful conviction of pedophiles!
35
Mining Mozilla Firefox
Mozilla Firefox stores the Internet activity in the
following folder:
C:\Documents and Settings\<user name>\Application
Data \Mozilla\Firefox\Profiles\<random text>\Cache
There are three types of files in this directory:
A Cache Map File
Three Cache Block Files
Separate Cache Data Files
Demo
36
10 Forensics avenues in Windows XP
NTFS attributes
Registry Files
PreFetch Files (.pf)
Print Spooler Files
Recycle Bin info2 records
Thumbs.db
Event Logs (.evt)
Internet History Files
Shortcut files (.lnk)
System Restore Points
37
Mining shortcut files
Link files refer to or link to target files which
can be applications, directories, documents,
or data files.
The data contained inside a link file describes
the various attributes of the target file.
A link file contains:
the complete path to the target file
the volume label and volume serial number on which
the target file or folder exists - this can be useful for
connecting a file to a unique volume!
the file’s size in bytes
the MAC time stamps of the target file!!!
38
Mining shortcut files…
Media type (fixed/removable)
Working directory
MAC address
Remote share name
May be found in unallocated clusters and
swap space
May indicate that data was copied to a
removable media!
Encase link parser EnScript
Windows File Analyzer
Demo
39
10 Forensics avenues in Windows XP
NTFS attributes
Registry Files
PreFetch Files (.pf)
Print Spooler Files
Recycle Bin info2 records
Thumbs.db
Event Logs (.evt)
Internet History Files
Shortcut files (.lnk)
System Restore Points
40
The restore point feature
Rp.log is the restore point log file is located within
the restore point (RPxx) directory.
This restore point log contains
a value indicating the type of the restore point,
a descriptive name for the restore point creation
event (i.e, application or device driver installation,
application uninstall etc. )
the 64-bit FILETIME object indicating when the
restore point was created
41
The restore point feature
Change.log.x files
Record changes to key application files
When a change is detected, the original filename is
entered into the change.log file along with a
sequence number and other necessary
information,such as the type of change that occurred
(file deletion, change of file attributes, or change of
content).
Sometimes the entire file may be preserved
(Axxxxxx.ext format)!
Each change.log.x file consists of a number of
change log records
Ref: Windows Forensic Analysis by Harlan Carvey
42
Mining restore points
What restore points can tell:
Installation or removal of an application
Changes to the system time
Remnants of deleted/uninstalled applications
Remnants of deleted files
Evidence of files being accessed in the past
Demo
43
Queries are welcome!
44