Beruflich Dokumente
Kultur Dokumente
The module project of week8 concludes cyber forensics module with re-investigating SANS SIFT example images using
Linux forensic tools. Windows keep most of user and system activity as well as configuration under Windows Registry.
So, extracting information from Windows registry will provide examiner with valuable information. In this case, we are
going to use RegRipper tool with plugins to fetch Windows operating system and user information.
Successful forensics analysis may follow below steps during image investigation.
1- Completed the administrative step: Revision of the policies and procedures, confirm the chain of custody, filling
evidence collection form, filling the consent form.
2- Work Plan: Review policies and laws, form understanding of background, requirements, and deliverables. Then
create work analysis plan, create investigation plan.
3- Setup Case folder: Evidence files information such as case number, custodian name, media type, and logs.
4- Confirm Image integrity.
5- Per-analysis procedures: Mount the image, gather system information.
6- Analysis process: Gather timeline, passion, time, research, and resource.
7- Interpretation and review artifacts.
8- Reporting.
Preliminary analysis
# file cfreds_2015_data_leakage_pc.dd
# mmls cfreds_2015_data_leakage_pc.dd or
# sudo parted cfreds_2015_data_leakage_pc.dd 'unit B print'
To determine the offset of the partition we need to multiply the partition start by 512. In this case the windows 7
partition starts at 206848. So, the offset required is 206848 X 512 = 105906176
# ls -l /mnt/win7dd2
Question number 1:
What are the hash values (MD5 & SHA-1) of all images?
Does the acquisition and verification hash value match?
Running the following command to verify the md5 and SHA-1 of the images against the download page
# md5sum cfreds_2015_data_leakage_pc.dd
# sha1sum cfreds_2015_data_leakage_pc.dd
The image has two partitions, first partition size is 100 MB and the second partition is 20,378MB. The parted command
revealed the following information as follows:
# sudo parted cfreds_2015_data_leakage_pc.dd 'unit MiB print'
Question Number 3:
The details of the OS information can be fetched from the Software, SYSTEM, and NTUSER.DAT registry hives found on
the keys:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKLM\Software\Microsoft\Office\Common\UserInfo
Question Number 4:
The time zone used on the system was as per below table and extracted from Windows registry using the following
command:
The time zone shows that the Bias is 5 hours from UTC which means that the machine is on the EST time zone. The
daylight-saving time is set to one hour. The registry hive that have the time zone information is system. On the key
HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation
Cyber Forensics – Module 6 Week 8 Individual Assignment Page 4 of 48
Question Number 5:
What is the computer name?
INFORMANT-PC
Question Number 6:
List all accounts in OS except the system accounts: Administrator, Guest, systemprofile, LocalService, NetworkService.
(Account name, login count, last logon date…)
The user information can be found under the SAM registry hive and using the following command with regripper
revealed the users assigned under Windows.
Question Number 7: Who was the last user to logon into PC?
As per information of question 6, the last user logged into the machine is ‘Informant’ at 25/03/2015 14:45:59 UTC.
The machine shutdown information can be found under the SYSTEM registry hive. Running the following command
reveals this information:
The registry key value is HKLM\SYSTEM\ControlSet001\Control\windows and the ShutdownTime value.
The network card configuration is found under SOFTWARE registry hive under the key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
The information of installed applications can be found under SOFTWARE registry hive using the key uninstall.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Uninstall
Running the following command extracted the runtime and count of the executables:
Question Number 12: List all traces about the system on/off and the user logon/logoff.
(It should be considered only during a time range between 09:00 and 18:00 in the timezone from Question 4.)
Windows event logs that contain the logon and logoff events can be found under the security windows event file which
is located under Windows/System32/winevt/Security.evtx
Using the following tool and command to dump the security events and look for the logon event ID 4624 and logoff 4634
as well as the shutdown event ID 1100
Question Number 14: Identify directory/file paths related to the web browser history.?
Browsers keep the browsing history under the user folders. In this case the user informant folder will contain the
browsing history files of internet explorer and Chrome as follows:
Internet Explorer 9
C:\Users\informant\AppData\Local\Microsoft\Windows\History\
C:\Users\informant\AppData\Local\Microsoft\Windows\Temporary Internet Files\
C:\Users\informant\AppData\Roaming\Microsoft\Windows\Cookies\
Internet Explorer 11
Google Chrome:
C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\History
C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\Application Cache\
C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\Media Cache\
C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\GPUCache\
C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\Cookies\
C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\Extensions\
Question Number 15: What websites were the suspect accessing? (Timestamp, URL...)
Examining the files as per question 14 reveals the following URLs has been accessed on Internet Explorer and Google
Chrome:
Utilizing the SQLite tool to get the visited sites with timestamps:
# sqlite3 /mnt/win7dd2/Users/informant/AppData/Local/Google/Chrome/User\
Data/Default/History
SQLite version 3.11.0 2016-02-15 17:29:24
Enter ".help" for usage hints.
sqlite> SELECT datetime(((visits.visit_time/1000000)-11644473600), "unixepoch"),
urls.url, urls.title FROM urls, visits WHERE urls.id = visits.url;
Internet Explorer:
Question Number 16: List all search keywords using web browsers. (Timestamp, URL, keyword...)
Internet Explorer:
Google Chrome
Question Number 17: user keywords at the search bar in Windows Explorer. (Timestamp, Keyword)
The keyword found is ‘secret’ searched at Mon March 23 2015 18:40:17 (UTC)
Question Number 18: What application was used for e-mail communication?
Microsoft Outlook 2013 installed with Office professional plus 2013. Found outlook is installed under registry key
uninstall as per question 10.
# ls -l /mnt/win7dd2/Users/informant/AppData/Local/Microsoft/Outlook
Question Number 20: What was the e-mail account used by the suspect?
As per question 19, the email address used is iaman.informant@nist.gov
Question Number 21: List all e-mails of the suspect. If possible, identify deleted e-mails.
(You can identify the following items: Timestamp, From, To, Subject, Body, and Attachment)
[Hint: just examine the OST file only.]
Using the tool pffexport to export the OST file and examine the messages of the OST as follows:
VID_0781&PID_5571
LastWrite: Tue Mar 24 13:58:31 2015
SN : 4C530012450531101593
LastWrite: Tue Mar 24 13:38:00 2015
VID_0781&PID_5571
LastWrite: Tue Mar 24 13:58:31 2015
SN : 4C530012550531106501
LastWrite: Tue Mar 24 19:38:09 2015
Question Number 23: Identify all traces related to ‘renaming’ of files in Windows Desktop.
(It should be considered only during a date range between 2015-03-23 and 2015-03-24.)
[Hint: the parent directories of renamed files were deleted and their MFT entries were also overwritten. Therefore,
you may not be able to find their full paths.]
The $UsnJrnl located under $Extend folder in partition 2 in the image contains valuable information about file operation
activities on the operating system. Therefore, we need to extract the UsnJrnl records as binary for analysis to find out
the renaming traces of any suspected files.
First, we need to find out the offset partition where the UsnJrnl is located in the image using mmls which is 0000206848
# mmls cfreds_2015_data_leakage_pc.dd
Then, use the tool fls to list the UsnJrnl string and located the $J MFT entry as follows:
Then use istat to find the data location or $J which normally at 128
Cyber Forensics – Module 6 Week 8 Individual Assignment Page 25 of 48
# istat -i raw -o 0000206848 cfreds_2015_data_leakage_pc.dd 59016 | more >
istat_results.txt
After that, using icat to extract the UsnJrnl binary for processing.
The resultant file is then downloaded to windows machine for parsing using a windows tool called UsnJrnl2Csv
The CSV file is then imported to Excel where it can be easily searched and filtered to look for the renamed files as
follows:
To find the network shares used by the user, we need to examine the RUNMRU key under NTUSER.DAT
HKU\informant\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\
b \\10.11.11.128\secured_drive\1
Question Number 25: List all directories that were traversed in ‘RM#2’.
Windows ShellBags key under USRCLASS.dat could reveal important information about the files traversed to external
storage. So, investigating the registry hive USRCLASS.dat located under the following link:
/mnt/win7dd2/Users/informant/AppData/Local/Microsoft/Windows/UsrClass.dat
HKU\informant\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
So, issuing the following command reveal the directories traversed to RM#2:
# perl rip.pl -r
/mnt/win7dd2/Users/informant/AppData/Local/Microsoft/Windows/UsrClass.dat -p shellbags >
shellbags_results.txt
Question Number 26: List all files that were opened in 'RM#2’.
Question Number 27: List all directories that were traversed in the company’s network drive.
Examining the following folders under appdata of Informant user folder showed the files traversed to network folder:
Using question 25 extracted shellbags we can find also the directories traversed to network drive:
Question Number 28: List all files that were opened in the company’s network drive.
Using recent docs located at and shellbags, the files were open as follows:
# ls -l /mnt/win7dd2/Users/informant/AppData/Roaming/Microsoft/Windows/Recent
The registry key “uninstall” fetched in question 10 revealed that Google drive and googlesync services and Apple iCloud
as installed applications.
Question Number 30: What files were deleted from Google Drive?
Find the filename and modified timestamp of the file.
[Hint: Find a transaction log file of Google Drive.]
Question Number 31: Identify account information for synchronizing Google Drive.
Investigating google logs to identify the account as follows:
iaman.informant.personal@gmail.com
As per previous question, investigating Windows event under event 133 cdrom showed that the suspect burned the files
at 24/03/2015 19:47:47 PM, 24/03/2015 19:56:11 PM, 24/03/2015 20:24:46 PM, 24/03/2015 20:41:21 PM
Also, the UsnJrnl showed cdrom burning operations as DAT,FIL, and POST.
Koala.jpg
Penguins.jpg
Tulips.jpg
D:\prop
D:\prog
Question Number 36: Identify all timestamps related to a resignation file in Windows Desktop.
[Hint: the resignation file is a DOCX file in NTFS file system.]
Investigating UsnJrnl, we can find the timestamps of the document file operations changes as follows:
Question Number 37: How and when did the suspect print a resignation file?
Examining the default printer of the user from the registry key HKLM\Software\Microsoft\Windows
NT\CurrentVersion\PrinterPorts
The user printed on the default printer which was Microsoft XPS printer.
Question Number 39: Identify traces related to confidential files stored in Thumbcache.
(Include ‘256’ only)
Download thumbcache_256.db to my windows machine and examine the file using Thumbcache viewer.
C:\Users\informant\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt
Question Number 41: Identify notes stored in the Sticky Note file.
Casting the content of the file to a text file showed the below message:
# cat /mnt/win7dd2/Users/informant/AppData/Roaming/Microsoft/Sticky\
Notes/StickyNotes.snt > stickydata.txt
Tomorrow...
Everything will be OK
Usually windows maintain the database of search and index under database called windows.edb. The file existence
means that Windows Search and Indexing is enabled.
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
Examining registry locations also will identify the database file location and parameters.
Using the tool hivexsh to load the SOFTWARE registry hive and search of the Windows Search key. The key and the key
value details shows that Windows Search and indexing is enabled.
# hivexsh /mnt/win7dd2/Windows/System32/config/SOFTWARE
The tool allows to view the keys value using the command lsval.
Question Number 43: What kinds of data were stored in Windows Search database?
Windows.edb contains valuable information about various sections of windows activity such as browsing history,
stickynotes and messaging information.
Question Number 44: Find traces of Internet Explorer usage stored in Windows Search database.
(It should be considered only during a date range between 2015-03-22 and 2015-03-23.)
Using the tool libesedb to examine and extract information from the windows.edb which is located under the
folder/mnt/win7dd2/ProgramData/Microsoft/Search/Data/Applications/Windows/
Question Number 45: List the e-mail communication stored in Windows Search database.
(It should be considered only during a date range between 2015-03-23 and 2015-03-24.)
Based on the export of the Windows.edb completed in the previous question. We may now look for the messaging items
and locate the email communication as follows:
Question Number 46: List files and directories related to Windows Desktop stored in Windows Search database.
(Windows Desktop directory: \Users\informant\Desktop\)
Viewing the file System_ItemDate and filter the file using excel to show the records of C:\Users\informant\Desktop
Question Number 47: Where are Volume Shadow Copies stored? When were they created?
Microsoft Windows maintains volume shadow copies under C:\System Volume Information. Created at 25-03-2015 with
size 335,544,320 Bytes.
Datbases snapshot.db sync_config.db were deleted from google drive due to user logoff activity whereas they still exist
in volume shadow copy. Carving the db files to find the deleted files.
Question Number 49: What files were deleted from Google Drive?
Find deleted records of cloud_entry table inside snapshot.db from VSC.
(Just examine the SQLite database only. Let us suppose that a text based log file was wiped.)
[Hint: DDL of cloud_entry table is as follows.]
As per NIST answer sheet, examining the snapshot.db located in VSC through file carving shows the deleted files shown
in google_sync log.
Question Number 50: Why can’t we find Outlook’s e-mail data in Volume Shadow Copy?
Outlook was excluded from being kept in the VSC probably due to the size usually mailboxes have. The registry
information showed that outlook is excluded from VSC copy.
Using the registry key: HKLM\System\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot\
Using hivexsh to mount SYSTEM registry key from /mnt/win7dd2/Windows/System32/config/SYSTEM to find out if the
ost files are excluded from the VSC copy.
# hivexsh /mnt/win7dd2/Windows/System32/config/SYSTEM
The content of the key FilesNotToSnapshot contains the OST files located at user profile excluded from the VSC copy.
Using the tool fls to retreive the deleted files from $Recycle.Bin and as follows:
Therefore, we will use the tool ntfsdelete to recover the deleted files:
Question Number 52: What actions were performed for anti-forensics on PC at the last day '2015-03-25'?
Question Number 53: Recover deleted files from USB drive ‘RM#2’.
Using the tools PhotoRec to recover the files, I could recover all files on the image using the following command:
# photorec cfreds_2015_data_leakage_rm#2.dd
Question Number 54: What actions were performed for anti-forensics on USB drive ‘RM#2’?
[Hint: this can be inferred from the results of Question 53.]
The media has been quick formatted and I could recover deleted files from the free space.
Question Number 55: What files were copied from PC to USB drive ‘RM#2’?
As per question 53, the files recovered were copied to RM#2, they were softly deleted for future easy recovery.
Question Number 56: Recover hidden files from the CD-R ‘RM#3’.
How to determine proper filenames of the original files prior to renaming tasks
Using the tool photrec to carve the files and recover them.
Question Number 57: What actions were performed for anti-forensics on CD-R ‘RM#3’?
Format the CD to be used as an external storage, copy secret files and other non-business files then delete the secret
files for recovery on a later stage.
Question Number 58: Create a detailed timeline of data leakage processes.
Then, on 23/03/2015, the suspect started communication with a conspirator who confirmed the shared files through
email from the suspect.
23/05/2015 18:21 UTC, the suspect then searched using Chrome and Internet Explorer for data leakage methods.
23/05/2015 18:31 UTC, started to leak confidential information by searching for the word secret and copy confidential
files from USB to PC.
23/05/2015 18:41 UTC rename file copies files into different titles with different extensions such as .jpg and mp3.
Received email from SPY and IAMAM confirmed “Successfully secured.” And then sent an attachment to SPY.
23/03/2015 20:00 UTC started to look for cloud drives to share the confidential files. Logged into Google drive then
connected to network shared drive, downloaded secret files from the network share then renamed the files and then
uploaded to google drive. The links of Google drive shared files sent by email from IAMAM to SPY.
On 24/03/2015, email communication continued between SPY and IAMAM about the data leakage. The suspect
connected RM#1 then copied files to PC. Also, connecting to network share \\10.11.11.128 and downloaded confidential
files to PC. Renamed the files and copied them to RM#2. 24/05/2015 14:02, ejecting the RM#2 then delete the files from
the PC.
Cyber Forensics – Module 6 Week 8 Individual Assignment Page 46 of 48
On 24/03/2015 18:31, the suspect created a resignation letter and wrote a sticky note.
On 24/03/2015 18:38 Connected the USB and copied file to CD-R media then format disk and burn other non-related
files.
On 24/03/2015 20:53 inserted new CD-R and copied confidential folders and renamed them and copy other non-related
files and delete the confidential folders. Finally, perform quick format on the USB RM#2.
On 25/03/2015 14:46, the suspect searched for anti-forensics methods, and installed CCleaner and Eraser and ran them.
On 25/03/2015 15:14 removing files from recycle bin and removed installer files Eraser and CCleaner and uninstall
CCleaner and iCloud. Then signed out from Google Drive.
On 25/03/2015 15:28 opened the resignation letter document and printed it using XPS default printer.
Question Number 59: List and explain methodologies of data leakage performed by the suspect.
The suspect used the email to communication with a spying agent and shared secret files but renamed the file in
advance. Then shared confidential files using cloud services such as Google Drive and iCloud. Also, used USB and CD as
removable media for copying data then deleted them from them to recover them on a later stage using forensic
techniques.
Bajpai, P. (2014). ‘Windows Registry Forensics using ‘RegRipper’ Command-Line on Linux’. InfoSec institute.[Online].
Available at: http://resources.infosecinstitute.com/registry-forensics-regripper-command-line-linux/#gref [Accessed 16
May 2018].
Dwyer, G. (2013). ‘How and When to Use Sqlite’. Digital Ocean. [Online]. Available at:
https://www.digitalocean.com/community/tutorials/how-and-when-to-use-sqlite . [Accessed 16 May 2018].
libguestfs.org. (Not date). ‘hivexsh - Windows Registry hive shell’. [Online]. Available at:
http://libguestfs.org/hivexsh.1.html. [Accessed 16 May 2018].
Rocha, L. (2017). ‘Digital Forensics – NTFS Change Journal’. [Online]. Available at:
https://countuponsecurity.com/2017/05/25/digital-forensics-ntfs-change-journal/ . [Accessed 16 May 2018].