Beruflich Dokumente
Kultur Dokumente
Copyright 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Final Review
Remember, the final exam is worth 40% of your grade.
Imaging
An image is a bit-for-bit copy of a piece of digital evidence (disk, flash, RAM, DVD etc.) Forensic images can be stored and accessed in a variety of standard formats such as Raw, E01, or AFF Images are typically validated as unchanged by use of one or more of a number of cryptographic hash algorithms (md5, sha1, sha256) Of these three commonly hashing algorithms, only sha256 has no known collision attacks against it On dead systems, disk imaging should be performed via a hardware write-blocker to ensure that original evidence is unchanged On live systems, it is almost certain that the image hash for a disk in use or system memory will not match Exact methodologies will vary from organization to organization
Physical Image Full image of complete physical disk device content Logical Image Image of a logical volume, as mounted on a live system.
Portion of a physical device RAID spread across several different physical devices Mounted encrypted volume Mounted network volume
MBR Partitioning
Master Boot Record lives in first 512-byte sector on disk & contains:
Boot record 4 Primary Partition Table Entries (not all need be valid) Signature Value (0xAA55)
Primary Partition may be an Extended Partition, which references a linked list of Secondary Extended Partition Tables
Starting CHS address Ending CHS address Starting LBA address Number of sectors in partition Type of partition Flags
First partition usually starts 63 sectors after partition table due to legacy cylinder boundary requirement
File Systems
A filesystem is a method of mapping file data and metadata onto a storage volume in such a way that it can be stored and retrieved efficiently Filesystem Data Categories:
File System Data pertaining to the filesystem as a whole Content Data contained within the bodies of files Metadata Data about files File Name Human interface reference for a file identifier Application Data implementing special filesystem features such as journaling or quotas
Big-Endian: Most significant byte stored first (lowest address) Used by mainframes & UNIX systems Little-Endian: Least significant byte stored first Used by PCs
Slack Space
RAM Slack Space in the last sector of a file after the end of the file. Back in old versions of Win95 and previous, this got randomly populated with data from memory. Since then it is nulled out when a file is written. File Slack any remaining sectors in the last cluster of a file following the RAM Slack. These are not overwritten when the file is written, and will still contain any previous content. (Usage of this term sometimes includes RAM Slack.) Collectively, File Slack is the space between the logical and physical end of file Physical EOF is end of allocated clusters Logical EOF is end of file data
NTFS
Everything in NTFS is a File, including the MFT MFT Structure (every file has an MFT entry) File Attributes, particularly:
Standard Information Attribute (contains primary file timestamps) Filename Attribute (there may be two of these, and each contains redundant timestamps) Data Attribute (for resident files [< a few hundred bytes], data is contained within the MFT entry itself)
Data attributes after the first are referred to as Alternate Data Streams
NTFS MFT
NTFS Data Structure - Master File Table (MFT)
Heart of NTFS. Has an entry for every file and directory, including itself. MFT entries are 1024 bytes in length, & start with FILE (typically) or BAAD. A single file can require multiple MTF entries to store all its attributes. But this is rare Its sometimes possible to find complete MFT entries in unallocated space that reference file data also in unallocated
10
Standard Information Attribute (contains primary file timestamps) Filename Attribute (there may be two of these, and each contains redundant timestamps) Data Attribute (for resident files, data is contained in the MFT entry itself)
Data attributes after the first are referred to as Alternate Data Streams (ADS) ADS can be used by attackers or malware to hide data
B-Tree Contains complete File_Name Attributes, including redundant timestamps Entries also contain a reference to MFT record number
NTFS MFT entries have two (sometimes three) attributes that contain timestamps:
$STANDARD_INFORMATION The only one normally seen $FILE_NAME (SHORT & POSSIBLY LONG) Redundant and difficult to change
Four file system timestamps (MACB times) are contained in each entry 2 Last [M]odified time 4 Last [A]ccessed time 3 MFT entry modified ([C]hanged) time 1 creation ([B]orn) time
12
The INDX structure of an NTFS directory stores a complete copy of (both) the referenced files filename attributes This includes all timestamps and file sizes. When a file is deleted, this entry is unlinked from the INDX structures btree, but is not wiped unless overwritten during ensuing btree rebalancing If you find a filename in unallocated space, or in the INDX structure of a folder which no longer contains a file of that name, it helps to know what youre looking at
Individual NTFS timestamps are 8-byte little-endian quantities showing the number of 100ns units since Jan 1st , 1601. If you see four plausible NTFS datestamps in a row, followed after 26 more bytes by a unicode filename, youre probably looking at a filename attribute. If its surrounded by a bunch of other similar data for other filenames, without much interspersed, its probably a directory. Look back a few hundred bytes and see if theres an INDX header. Alternatively, if there is a significant amount of interspersed data, and the only other filename attribute close by is a long or short filename attribute for the same file, you might be looking at an MFT entry. Look back a few hundred bytes and see if you see a FILE header.
Compare standard information attribute timestamps with filename timestamps Compare with other timestamps for the same file recovered from directory entries or unallocated space Utilities which set timestamps typically will set to either a particular time rounded to the nearest second, or will copy standard info attribute times for some other file
Look for times exact to the second Look for times exactly matching other files
Forensic Soundness
A forensically sound process is one that ensures data remains complete and materially unaltered (if portions are lost or altered, that fact must be readily apparent) while it is acquired, retained, and transported, so that it is admissible in a legal proceeding. On the final, I could describe a process and ask whether its forensically sound
16
Network Connections Open Ports & Sockets Running Processes (may be hidden) Terminated Processes Loaded DLLs Open Files Kernel Modules User Logged On Data from Memory
Fuzzy Hashing
Ssdeep is the most commonly used fuzzy hashing utility. Most effective on files containing large amounts of text, less so with purely binary data, but YMMV.
Disk Volume Filesystem Database File Registry Hive Directory Physical Memory (Heap)
Subfolder under RECYCLER named with users SID When a file goes into the trash, its moved to a unique name under this folder such as D<DriveLetter>_<IndexNumber>_<FileExtensi on> Also under this subfolder will be a hidden binary file named INFO2 containing records which document current name, original full path, & deletion time for each file in the recycle bin When the recycle bin is emptied, all these files are deleted
User SID folder created under $Recycle.bin Each deleted file now gets moved to $R###### under the new SID folder $I###### with the same number in that folder contains the original path and deletion time for that file (equivalent to INFO2, but for individual files)
Essentially a specialized Filesystem used for configuration data Stored in multiple files (hives)
User Hives
Ntuser.dat UsrClass.dat (added with Win7 or IE8)
You can extract them from live systems with forensic tools such as FTK Imager Some, such as SAM and Security, may require privileged access to acquire from a live system As usual, however, physical access trumps all. Theyre easily retrieved from an offline system
Registry Structure
If you find unallocated search hits with strings such as regf, hbin, nk, lf, lh, ri, li, & vk nearby, youre likely looking at an old deleted registry file. nk entries are registry keys, and contain Windows FILETIME last updated timestamps vk entries are registry values. No timestamps, but frequently occur shortly after their parent keys
Registry key that appears many times in different places in the registry, mostly in the ntuser.dat hive Values under this key include a variable number of values containing last accessed values of some type, and a MRUlist value which indicates the order in which these values were accessed First entry in MRUList is most recent. The last write time of the key is the date at which the most recent of these was accessed
UserAssist
HKU\*\Software\Microsoft\Windows\Curr entversion\Explorer\UserAssist
Application names ROT-13 encoded Run count (starts at 6) Last run time (Windows FILETIME)
ROT-13 substitutes alphabetic characters with the character 13 further along in the alphabet (circular). So doing it a 2nd time returns the string to its original value. Numeric & punctuation data are unaffected 26
CurrentControlSet
Time Zone
SYSTEM\CurrentControlSet\Control\TimeZon eInformation Some Forensic Tools (EnCase) will show all file times as the zone set on the workstation theyre run on This can be confusing, because many log files will be in either GMT or in local time for the subject system You can wind up with times from the same system in three different zones. This is a pain.
SYSTEM\CurrentControlSet\Control\File System\NtfsDisableLastAccessUpdate
0x1 = Access Timestamps Turned Off (default on Win7) 0x0 (or value doesnt exist, as on Win2K) = Access Timestamps Turned On
NT/2K/XP/2K3
Vista/7/2K8
.evt files %systemroot%\System32\config SecEvent.evt, Appevent.evt, Sysevent.evt, sometimes others File Header/Magic Number in bytes 4-8 LfLe Header in 2nd 4 bytes of each record LfLe (same as file header) 2 timestamps per record (generated & recorded) UNIX Epoch time format .evtx files %systemroot%\System32\winevt\logs SecEvent.evtx, Appevent.evtx, Sysevent.evtx, many others Header in 1st 4 bytes: 0x2a, 0x2a, 0x00, 0x00 (two asterisks followed by two null bytes) Logs can be sent to a remote log collector Binary XML format
File locations can be changed in the registry UNIX Epoch time = #seconds since 00:00 Jan 1st, 1970 GMT
Example Scenario: Domain user logs in to workstation and maps network file share
Domain user (Kerberos authentication, Win2K3 server environment) logs in to workstation and maps a network file share to a file server Events Logged:
Workstation
File Server
673 service ticket granted (workstation) 673 service ticket granted (domain controller) 540 - Successful Network Logon 538 User Logoff 673 service ticket granted (file server) 540 - Successful Network Logon 538 User Logoff
Title Subject Author Keywords Comments Template Last author Revision number Application name Last print date Creation date Last save time Total editing time Number of pages Number of words Number of characters
Security Category Format Manager Company Number of bytes Number of lines Number of paragraphs Number of slides Number of notes Number of hidden Slides Number of multimedia clips Hyperlink base Number of characters (with spaces)
Unzip the file (all the 2007+ Office files are actually zip archives of a file tree) Result will be a folder Examine the file docProps\app.xml under that extracted folder Metadata values will be encoded in XML
PDF Metadata
Author Copyright CreationDate Creator (application name) Keywords Marked (boolean value) ModDate PDFVersion Producer (application name) Subject Title Trapped
The official XMP specification defines only Keywords, PDFVersion, Producer and Trapped. The other tags are included because they have been observed in PDF files
Newer digital cameras & phones often geotag images with GPS coordinates Can also potentially identify the specific camera that took a picture Lots of data about specific camera settings at the time the picture was taken Can sometimes identify photo editing software used to alter the image Some images carry an internal thumbnail which can be extracted
Machine Type Time Stamp (compiled) PE Type Linker Version Code Size Initialized Data Size Uninitialized Data Size Entry Point OS Version Image Version Subsystem Version Subsystem (GUI/DOS/Native) File Version Number Product Version Number File Flags Mask
File Flags File OS Object File Type (app/dll) File Subtype Language Code Character Set Company Name File Description File Version Internal Name Legal Copyright Original Filename Product Name Product Version Product Date
Pre-Vista: Thumbs.db
Populated in any folder which has been at one time set to show thumbnails of included images & documents Hidden file, not viewed by most users and not cleaned out when files are removed from the folder Uses OLE compound document format (similar to Office 2K3 and previous) to store:
thumbnail picture of original image or first page of document last modification time original filename
Vista+: Thumbcache
Located in <profile>\AppData\Local\Microsoft\Windows\Explorer All created when a folder is switched to thumbnail mode or views pictures in a slideshow Even stores thumbnails for pictures/docs/media on removable media, network shares, or encrypted containers Numbered files store actual images, linking to files is done by idx file. Purpose of sr file not yet determined
Thumbcache_32.db (small) Thumbcache_96.db (medium) Thumbcache_256.db (large) Thumbcache_1024.db (extra large) Thumbcache_idx.db Thumbcache_sr.db
Email Forensics
Remember that all headers added by systems before the earliest system you control could possibly have been spoofed PST/OST (Outlook) DBX (Outlook Express) EML/FOL (Windows Mail) MSF/no ext (Thunderbird) MBX/TOC (Eudora)
Received
Message-ID
One added by each SMTP server in the forwarding chain Added by originating SMTP server Unique_identifier@originating_server Optional, added by originating MTA Should match earliest Received header
X-Originating-IP
X-Mailer
Attachments
SMTP only allows text Enter Multimedia Internet Mail Extensions (MIME)
Spoliation
The destruction or significant alteration of evidence, or the failure to preserve property for anothers use as evidence in pending or reasonably foreseeable litigation A party claiming Spoliation must demonstrate: The party having control of the evidence had an obligation to preserve it at the time it was destroyed The evidence was destroyed with a culpable state of mind The destroyed evidence was relevant to the partys claim or defense such that reasonable trier of fact could find that it would support that claim or defense
2.
3. 4. 5. 6.
Preparation (Important) Identification Containment Eradication Recovery Follow-Up and Lessons Learned (Even More Important)
Whenever a file (local or remote) is opened using Explorer, a shortcut file is created:
Note: In Win7, the link may get created inside a jumplist file
Begins with magic value 4C 00 00 00 (L NULL NULL NULL) Four byte file length at offset 34h (easy to carve) Timestamps from original file when shortcut last accessed Size from original file when shortcut last accessed Volume Info: Name, Type (HD, Removable, Remote, CD), Serial# Network Share Name, if any Long & short filename Original File Path FileLocation (ObjectID [contains MAC address]+ VolumeID)
Two different ones if file has been moved between 2 NTFS volumes
These files are really short, and so are typically resident in their MFT entry.
Used to increase performance by preloading code pages for commonly used applications Referred to as superfetch in Vista/Win7 Found in %Windir%\Prefetch <Exename>-<8 char hash of path>.pf Prefetch not cleaned out when exe is removed Up to 128 of them can exist at a time
Contains paths of all files & folders accessed by the program in the first 10 seconds Create time indicates when executable was first run Mod date & internal FILETIME indicate last time Run Count Volume path & serial # for all files referenced Prefetch\Layout.ini contains path information File Size: 4-byte quantity at offset 0x000c
Restore Points
Restore Points (XP) created by default every 24 hours so user can restore his system to a previous state if something goes wrong (boot to last known good state), kept 90 days by default Contain copies of all system files & registry entries changed since last restore point Found in C:\System Volume Information\_restore{GUID}\RP###\ Change.log (binary) file maps generic restore point filenames back to their original paths Rp.log last 8 bytes are Windows FILETIME for restore point creation date Snapshot subfolder contains copies of changed registry keys for all hives (only accessible by System on a live host)
Vista/7 version of Restore Points, but much more pervasive Tracks all (aggregate) changes made to the filesystem since last Shadow Copy Literally allows entire filesystem or individual files or folders to be rolled back to a previous state Offline filesystem can be mounted as it existed at a previous date Only takes a snapshot periodically (Win7: weekly), not continually. Enabled by default. Typically limited to 15% of volume size
Windows explorer tracks in the registry when youve opened some folder and changed the way it appears on the desktop so it can be the same next time you open it Never cleaned up Binary format Registry keys include timestamp, so you can tell a date when specified folder was accessed. Tracks external shares & removable media, so you have a record of the folder structures on them
Location (XP)
Location (Vista/7)
NTUSER.DAT Hive
USRCLASS.DAT Hive
Custom Destinations
Automatic Destinations
<profile>\AppData\Roaming\Microsoft\Windows\R ecent\CustomDestinations\ <AppID>.customDestinations-ms File contains embedded .LNK files which can be carved out, (LNK header is \x4c\x00\x00\x00\x01\x14\x02, file size is 4 bytes at offset 34h) and analyzed
<profile>\AppData\Roaming\Microsoft\Windows\R ecent\AutomaticDestinations\ <AppID>.automaticDestinations-ms Contained data is stored using Structured Storage Format, and can be parsed using MiTeCs Structured Storage Viewer, from which .LNK files can be exported directly
Replaced the old Quick Launch toolbar from XP Allows user to pin a program to the taskbar for similar functionality Actual implementation substantially more complicated, similar to & used like the old My Recent Documents shortcuts.
Recent Items in the Win7 start menu goes to a folder that contains both shortcuts and Jump Lists
Another way to note opening or creation of files, or to identify previous existence of deleted or wiped files Records file access for specific applications Lists can contain up to several hundred items, though only a few are shown
Vendor Model Version Capacity Serial Number (most, but not all) Last Drive Letter Volume Name (filesystem)
Volume Serial Number (filesystem) First Use First Use Since Last Reboot Last Use Other usage timestamps may be in restore points
HKLM\System\CurrentControlSet\Enum\USBS TOR
Subkey named Disk&Ven_<vendor name>&Prod_<product name>&Rev_<product version> Product name text may contain capacity and even color Under this subkey is another named with the devices unique serial number if any If the device has no serial number (non-standard conformant), Windows will create one with an & as the second character. Under the serial number key is a value named ParentIdPrefix (Vista/7 only, used to link to other data)
Times in log are in the local timezone for the host Look for first entry for device serial number
Bookmarks/Favorites
<profile>\Favorites
<profile>\Local Settings\History\History.IE5 <profile>\Local Settings\Temporary Internet Files\ Content.IE5 <profile>\Cookies
History (Hidden)
Cache (Hidden)
Cookies
Downloads
<profile>\Downloads
59
Bookmarks/Favorites
Cookies:
<profile>\Favorites
History: (Hidden)
<profile>\AppData\Roaming\Microsoft\Windows\Cookies <profile>\AppData\Roaming\Microsoft\Windows\Cookies\Low
Cache: (Hidden)
Downloads
Not always in C:\Documents and Settings Registry configurable default profile locations. Check the following values
Index.dat Files
Binary format unchanged since IE 4 Different files use same name & format, but store different data Index.dat files exist in multiple places for tracking of: History Cookies Cache Data Difficult to remove because always locked, but IE settings can clear entries File Signature: Client UrlCache MMF Ver 5.2 Four byte file size starting at byte 28
62
Four types of record are known (the name of each is also its record signature)
URL - Indicate URIs that were actually requested REDR - Indicate browser was redirected to another site HASH - Hash indexes of the contents of the index.dat file (not useful) LEAK Result of attempt to delete entry while associated cache file is open (other mechanisms possible)
63
IE History
Designed for URL autocompletion Tracks all user browsing history for last 20 days by default If browsing history set to 0 days, still kept, but deleted on system shutdown or next day Also tracks Explorer access to local files For each URL or file, tracks last access timestamp & number of times accessed
Master index.dat file under History.IE5 Daily, Weekly, or (potentially) Monthly index.dat files under other folders Folders are named according to the date span covered by the contained file After the 6th day, aggregate daily history content is rolled up into a weekly file Actual files and folders cannot be seen in Windows GUI on live system, but can from the command line using dir /a
Offset 0 4 8 16
Size Description 4 Signature/Magic Number (URL, REDR, HASH, LEAK) 4 # of 128 byte Blocks in record 8 LastModified FILETIME (URL) 8 LastAccessed FILETIME (URL)
66
IE Cache
Exists to speed up access by using previously obtained local copies of content which has not altered since accessed Not all entries are supposed to be cached (SSL, no-store), but IE6 used to cache a lot of content it shouldnt have Also, the RFCs never formally stated SSL should not be cached Can include references to entries that have been removed in the meantime Cleared entries are wiped more effectively by IE7 and later
Some RFCs & Microsoft specifications clearly define what is supposed to be cached
RFC2616 (HTTP 1.1): cache-response-directive = nostore RFC1945 (HTTP 1.0): entries past expiration date not cached (less clear) MS: INTERNET_FLAG_DONT_CACHE, or INTERNET_FLAG_NO_CACHE_WRITE
For instance, no-cache (http 1.1) and Pragma: nocache (http 1.0) dont mean do not cache. Both mean send request for content even if cached
Older browser versions were very bad at properly interpreting and enforcing these specifications because of this
Cache Artifacts
Index.dat file under Content.IE5 Semirandomly named subfolders contain files with cached content Contain entries for cacheable URLs visited, each of which references a file that may or may not still exist Original filename with bracketed instance number before .ext Folders added in groups of four (if not, investigate why, could be data hiding location)
AntiPhishing Content.MSO Not sure Local copy from external document linking in Office? Content.Outlook Attachment files opened directly in Outlook Content.Word Tempfiles created when Word used as editor for Outlook OLK5432 Unknown Others?
Offset 0 4 8 16 24 92
Size Description 4 Signature/Magic Number (URL, REDR, HASH, LEAK) 4 # of 128 byte Blocks in record 8 LastModified FILETIME (URL) 8 LastAccessed FILETIME (URL) 4 Expiration FATTIME 4 Last Checked FATTIME
71
FATTIME
offset size 0 2 offset size Bit 0 (LSB) value 2 2 value 5 bits description date time description Day of the month
Bit 5
Bit 9 offset size
4 bits
7 bits value
Bit 0 (LSB)
Bit 5 Bit 11
5 bits
6 bits 5 bits
IE Cookies
Cookies exist to add state information to web browser sessions Not all sites use them Small text files (persistent cookies) Session cookies in memory only Included data:
Issuing website Account on that site NTFS FILETIMEs Website specific data in cookie Some cookie data is encrypted & some is not
Offset 0 4 8 16 24 84 92
Size Description 4 Signature/Magic Number (URL, REDR, HASH, LEAK) 4 # of 128 byte Blocks in record 8 LastModified FILETIME (URL) (last changed by server) 8 LastAccessed FILETIME (URL) (last uploaded) 4 Expiration FATTIME 4 Hits (times uploaded) 74 4 Last Checked FATTIME
Sample Google Analytics Tracking Cookie __utma (Timestamps in UNIX Epoch Time)
XXXX Hash of clients domain RRRR Random unique ID for client (this is what makes it a tracking cookie) FFFF Date of first visit to site (probably following the last clear of cookies) PPPP Timestamp of previous (last) visit CCCC Current timestamp N Number of sessions since first visit (Incremented each time new session started after first)
IE Downloads
XP default download folder defined by registry value HKCU\Software\Microsoft\Internet Explorer\Download Directory Defaults to the users desktop Vista/Win7 uses <profile>\Downloads\ as default If file opened rather than saved, temp copy created in IE cache folder, never cleaned unless manually IE9 has separate index.dat for downloads
Typed URLs registry key maintains list of last 25 URLs typed by the user
HKU\*\Software\Microsoft\InternetExplorer\Ty pedURLs
Protected Storage (IE4-6; Also used by Outlook Express & MSN Explorer)
Form Autofill Field Data Accounts & Passwords (Web, FTP, Others)[checkbox] Encrypted on disk but not in memory. Trivial to acquire from live system, & crackable from a dead one (IE4-6) HKU\*\Software\Microsoft\Protected Storage System Provider\<SID>
Changes in Vista/Win7
As mentioned previously, file locations have changed Protected Mode web browsing is performed as an unprivileged user
This is where the 2nd Low filename comes from in the various file artifacts There are two sets because not all operations use Protected Mode IE7-9 all support Protected Mode on Vista/Win7
Complete activity tracking for current & previous session Enabled by default (even in InPrivate Mode). Deleted (but often recoverable) when History cleared Information tracked:
Tabs Open List of websites viewed in each tab, with referrers for each Session end time Time each tab was opened (Only if a crash occurred or if for some other reason files are still present in the Active folder) Code from the page Form data & Other artifacts
XP (IE8 Only)
Vista/Win7
<profile>\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active <profile>\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active Current: <profile>\AppData\Local\Microsoft\Internet Explorer\Recovery\Active Previous: <profile>\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active
Files have .dat extension & are stored in Structured Storage Format
Like Jump Lists, can be examined using MiTeC Structured Storage Viewer
Opt-in or out at install time Data located in <profile>\AppData\Local\Microsoft\Wind ows\Temporary Internet Files\Low\SuggestedSites.dat Tracks all sites visited to suggest similar ones Does not track local, HTTPS, or InPrivate browsing Normally deleted when history is, but may get out of sync. May not be handled by 3rd party wiping utilities.
SuggestedSites.dat
URL of visited page (null terminated) Title of visited page (null terminated) URL of referring page (null terminated) 5 unknown bytes Windows FILETIME when page visited
Could probably write a simple perl or python script to parse Unknown binary format, so view with a hex editor Didnt test this myself. All direct data from Internet sources
Recover deleted cache files Session Recovery files (& deleted session recovery files) Incompletely cleaned remnants from index.dat Network traffic or proxy logs Data from memory if you can get it
A Browser Helper Object (BHO) is a DLL module designed as a plugin for Microsoft's Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most BHOs are loaded once by each new instance of Internet Explorer. However, in the case of Windows Explorer, a new instance is launched for each window. HKLM\SOFTWARE\Microsoft\Windows\CurrentVe rsion\Explorer\Browser Helper Objects\<CLSID> Details of BHO under
HKLM\SOFTWARE\Classes\CLSID\<CLSID>
Potentially much larger that regular cookies Not cleared when they are. .SOL file extension Usually stored in folders under:
Sometimes found in other locations Until recent updates, no easy way to clear
Java Downloads
Another separate application, but potentially runs downloaded code Applets are used as normal web content, but sandbox escape is easy on old versions, which are disturbingly common Cache folder:
Java Downloads
IDX files in this cache are Java applet cache indexes Included data:
Filename URL downloaded from IP of source host last modified date downloaded date
HTML 5.0 equivalent to Flash Cookies Located in XML files and Index.dat under:
Regular: Actually searches in realtime after search terms are defined Indexed: Preprocesses data to extract indexes of all strings, then uses these indexes to optimize searching.
Implementations vary & frequently produce false negatives (Examples: Nuix, Dtsearch, EnCase, FTK) Much faster than regular searches once index is constructed A very useful tool, but not something to depend on
Always search for unicode as well as ASCII. This is used in many places by Windows. You may also want to use caseinsensitive mode Use regular expression syntax to filter out false positives for short keywords, to match values that cant be expressed in normal ASCII, or to match abstract patterns such as credit card numbers, SSNs, or IP addresses
Regular Expressions
Exact supported syntax varies from tool to tool, but in general, the following primitives should work:
. - match any single character [] Defines a character class, a list of characters inside the brackets which will match in this character position (may contain inclusive ranges such as a-z) [^] Defines a negated character class, a list of characters after the carat which will not match in this character position (may contain inclusive ranges such as a-z) * - 0 or more repeats of the element in the preceding position + - 1 or more repeats of the element in the preceding position ? 0 or 1 repeats of the element in the preceding position {m,n} - minimum of m or maximum of n repeats of the element in the preceding position () - grouping of elements | - alternation of preceding and following elements (either/or) \ - escape of a literal metacharacter such as any of the following []-^*+?(){}\ in contexts where they would otherwise be interpreted as specified above
Registry Keys & Values Password Hashes Process List Loaded DLL lists for each process Open net connections & sockets Cmd.exe history
Questions?
94