CNS 320 COMPUTER FORENSICS & INCIDENT RESPONSE

Week 10 Final Review

Copyright 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Final Review
Remember, the final exam is worth 40% of your grade.

Imaging

An image is a bit-for-bit copy of a piece of digital evidence (disk, flash, RAM, DVD etc.) Forensic images can be stored and accessed in a variety of standard formats such as Raw, E01, or AFF Images are typically validated as unchanged by use of one or more of a number of cryptographic hash algorithms (md5, sha1, sha256) Of these three commonly hashing algorithms, only sha256 has no known collision attacks against it On dead systems, disk imaging should be performed via a hardware write-blocker to ensure that original evidence is unchanged On live systems, it is almost certain that the image hash for a disk in use or system memory will not match Exact methodologies will vary from organization to organization

Physical vs. Logical Imaging

Physical Image Full image of complete physical disk device content Logical Image Image of a logical volume, as mounted on a live system.

Portion of a physical device RAID spread across several different physical devices Mounted encrypted volume Mounted network volume

MBR Partitioning

Most Windows partitions are MBR

Master Boot Record lives in first 512-byte sector on disk & contains:
Boot record 4 Primary Partition Table Entries (not all need be valid) Signature Value (0xAA55)

Partition Table Entry Contains:

Primary Partition may be an Extended Partition, which references a linked list of Secondary Extended Partition Tables

Starting CHS address Ending CHS address Starting LBA address Number of sectors in partition Type of partition Flags

First partition usually starts 63 sectors after partition table due to legacy cylinder boundary requirement

File Systems

A filesystem is a method of mapping file data and metadata onto a storage volume in such a way that it can be stored and retrieved efficiently Filesystem Data Categories:

File System Data pertaining to the filesystem as a whole Content Data contained within the bodies of files Metadata Data about files File Name Human interface reference for a file identifier Application Data implementing special filesystem features such as journaling or quotas

Data Storage: Big-Endian vs. Little-Endian

Big-Endian: Most significant byte stored first (lowest address) Used by mainframes & UNIX systems Little-Endian: Least significant byte stored first Used by PCs

Value: 258 Hex: 0102 (2*16^0+0*16^1++1*16^2) Big-Endian: 01 02 Little-Endian: 02 01

Mnemonic: LLL Little Least Left

Slack Space

RAM Slack Space in the last sector of a file after the end of the file. Back in old versions of Win95 and previous, this got randomly populated with data from memory. Since then it is nulled out when a file is written. File Slack any remaining sectors in the last cluster of a file following the RAM Slack. These are not overwritten when the file is written, and will still contain any previous content. (Usage of this term sometimes includes RAM Slack.) Collectively, File Slack is the space between the logical and physical end of file Physical EOF is end of allocated clusters Logical EOF is end of file data

NTFS

Everything in NTFS is a File, including the MFT MFT Structure (every file has an MFT entry) File Attributes, particularly:

Standard Information Attribute (contains primary file timestamps) Filename Attribute (there may be two of these, and each contains redundant timestamps) Data Attribute (for resident files [< a few hundred bytes], data is contained within the MFT entry itself)

Index_Allocation Attributes (for directories)

Data attributes after the first are referred to as Alternate Data Streams

Attribute Structure Note the various redundant timestamps

B-Tree Contains complete File_Name Attributes, including redundant timestamps

NTFS MFT
NTFS Data Structure - Master File Table (MFT)

Heart of NTFS. Has an entry for every file and directory, including itself. MFT entries are 1024 bytes in length, & start with FILE (typically) or BAAD. A single file can require multiple MTF entries to store all its attributes. But this is rare Its sometimes possible to find complete MFT entries in unallocated space that reference file data also in unallocated
10

NTFS File Attributes of Particular Note

Standard Information Attribute (contains primary file timestamps) Filename Attribute (there may be two of these, and each contains redundant timestamps) Data Attribute (for resident files, data is contained in the MFT entry itself)

Data attributes after the first are referred to as Alternate Data Streams (ADS) ADS can be used by attackers or malware to hide data

Index_Root_Attribute (directories - resident) Index_Allocation Attribute (directories nonresident)

B-Tree Contains complete File_Name Attributes, including redundant timestamps Entries also contain a reference to MFT record number

NTFS MFT Entry Timestamps

NTFS MFT entries have two (sometimes three) attributes that contain timestamps:

$STANDARD_INFORMATION The only one normally seen $FILE_NAME (SHORT & POSSIBLY LONG) Redundant and difficult to change

Four file system timestamps (MACB times) are contained in each entry 2 Last [M]odified time 4 Last [A]ccessed time 3 MFT entry modified ([C]hanged) time 1 creation ([B]orn) time
12

NTFS directory entries also have timestamps & file sizes

The INDX structure of an NTFS directory stores a complete copy of (both) the referenced files filename attributes This includes all timestamps and file sizes. When a file is deleted, this entry is unlinked from the INDX structures btree, but is not wiped unless overwritten during ensuing btree rebalancing If you find a filename in unallocated space, or in the INDX structure of a folder which no longer contains a file of that name, it helps to know what youre looking at

Recognizing NTFS Timestamps

Individual NTFS timestamps are 8-byte little-endian quantities showing the number of 100ns units since Jan 1st , 1601. If you see four plausible NTFS datestamps in a row, followed after 26 more bytes by a unicode filename, youre probably looking at a filename attribute. If its surrounded by a bunch of other similar data for other filenames, without much interspersed, its probably a directory. Look back a few hundred bytes and see if theres an INDX header. Alternatively, if there is a significant amount of interspersed data, and the only other filename attribute close by is a long or short filename attribute for the same file, you might be looking at an MFT entry. Look back a few hundred bytes and see if you see a FILE header.

Detecting timestamp manipulation

Compare standard information attribute timestamps with filename timestamps Compare with other timestamps for the same file recovered from directory entries or unallocated space Utilities which set timestamps typically will set to either a particular time rounded to the nearest second, or will copy standard info attribute times for some other file

Look for times exact to the second Look for times exactly matching other files

15 Look for log references to the suspicious file

Forensic Soundness

A forensically sound process is one that ensures data remains complete and materially unaltered (if portions are lost or altered, that fact must be readily apparent) while it is acquired, retained, and transported, so that it is admissible in a legal proceeding. On the final, I could describe a process and ask whether its forensically sound
16

Volatile Data Elements

Network Connections Open Ports & Sockets Running Processes (may be hidden) Terminated Processes Loaded DLLs Open Files Kernel Modules User Logged On Data from Memory

Fuzzy Hashing

Method of measuring similarity between different files

Ssdeep is the most commonly used fuzzy hashing utility. Most effective on files containing large amounts of text, less so with purely binary data, but YMMV.

Fuzzy hashing is also referred to as context triggered piecewise hashing (CTPH)

Unallocated Space: typical usage of the term

Can be within any record structure for example:

Disk Volume Filesystem Database File Registry Hive Directory Physical Memory (Heap)

Any location which does not currently hold referenced data

WinNT/2K/XP/2K3 Recycle Bin

Subfolder under RECYCLER named with users SID When a file goes into the trash, its moved to a unique name under this folder such as D<DriveLetter>_<IndexNumber>_<FileExtensi on> Also under this subfolder will be a hidden binary file named INFO2 containing records which document current name, original full path, & deletion time for each file in the recycle bin When the recycle bin is emptied, all these files are deleted

WinVista/7 Recycle Bin

User SID folder created under $Recycle.bin Each deleted file now gets moved to $R###### under the new SID folder $I###### with the same number in that folder contains the original path and deletion time for that file (equivalent to INFO2, but for individual files)

The Windows Registry

Essentially a specialized Filesystem used for configuration data Stored in multiple files (hives)

System Hives (%Windir%\System32\Config)

SAM (Security Account Manager) Security System Software Default

User Hives
Ntuser.dat UsrClass.dat (added with Win7 or IE8)

Hive files are locked while the OS runs

You can extract them from live systems with forensic tools such as FTK Imager Some, such as SAM and Security, may require privileged access to acquire from a live system As usual, however, physical access trumps all. Theyre easily retrieved from an offline system

Registry Structure

If you find unallocated search hits with strings such as regf, hbin, nk, lf, lh, ri, li, & vk nearby, youre likely looking at an old deleted registry file. nk entries are registry keys, and contain Windows FILETIME last updated timestamps vk entries are registry values. No timestamps, but frequently occur shortly after their parent keys

MRUlist Most Recently Used

Registry key that appears many times in different places in the registry, mostly in the ntuser.dat hive Values under this key include a variable number of values containing last accessed values of some type, and a MRUlist value which indicates the order in which these values were accessed First entry in MRUList is most recent. The last write time of the key is the date at which the most recent of these was accessed

UserAssist

HKU\*\Software\Microsoft\Windows\Curr entversion\Explorer\UserAssist

Application names ROT-13 encoded Run count (starts at 6) Last run time (Windows FILETIME)

ROT-13 substitutes alphabetic characters with the character 13 further along in the alphabet (circular). So doing it a 2nd time returns the string to its original value. Numeric & punctuation data are unaffected 26

SAM Registry Hive Contents

User Name Security Identifier (SID) User Login Information

Group Information (List of groups and members)

Last Login Last Failed Login Login Count Password Policy

Administrators Users Remote Desktop Users

CurrentControlSet

There may be several sets of keys under System

ControlSet001 ControlSet002\ Etc.

Number of the most up-to-date one will be shown in SYSTEM\Select\Current

Time Zone

SYSTEM\CurrentControlSet\Control\TimeZon eInformation Some Forensic Tools (EnCase) will show all file times as the zone set on the workstation theyre run on This can be confusing, because many log files will be in either GMT or in local time for the subject system You can wind up with times from the same system in three different zones. This is a pain.

Enable/Disable Last Access Time

SYSTEM\CurrentControlSet\Control\File System\NtfsDisableLastAccessUpdate

0x1 = Access Timestamps Turned Off (default on Win7) 0x0 (or value doesnt exist, as on Win2K) = Access Timestamps Turned On

Process Path Verification

Windows Event Logs

NT/2K/XP/2K3

Vista/7/2K8

.evt files %systemroot%\System32\config SecEvent.evt, Appevent.evt, Sysevent.evt, sometimes others File Header/Magic Number in bytes 4-8 LfLe Header in 2nd 4 bytes of each record LfLe (same as file header) 2 timestamps per record (generated & recorded) UNIX Epoch time format .evtx files %systemroot%\System32\winevt\logs SecEvent.evtx, Appevent.evtx, Sysevent.evtx, many others Header in 1st 4 bytes: 0x2a, 0x2a, 0x00, 0x00 (two asterisks followed by two null bytes) Logs can be sent to a remote log collector Binary XML format

File locations can be changed in the registry UNIX Epoch time = #seconds since 00:00 Jan 1st, 1970 GMT

Example Scenario: Domain user logs in to workstation and maps network file share

Domain user (Kerberos authentication, Win2K3 server environment) logs in to workstation and maps a network file share to a file server Events Logged:

Workstation

Domain Controller 672 authentication ticket granted

528 successful logon

File Server

673 service ticket granted (workstation) 673 service ticket granted (domain controller) 540 - Successful Network Logon 538 User Logoff 673 service ticket granted (file server) 540 - Successful Network Logon 538 User Logoff

Office Default Metadata Values

Title Subject Author Keywords Comments Template Last author Revision number Application name Last print date Creation date Last save time Total editing time Number of pages Number of words Number of characters

Security Category Format Manager Company Number of bytes Number of lines Number of paragraphs Number of slides Number of notes Number of hidden Slides Number of multimedia clips Hyperlink base Number of characters (with spaces)

Manual Examination of New (XML) Office Files (docx, xlsx, pptx)

Unzip the file (all the 2007+ Office files are actually zip archives of a file tree) Result will be a folder Examine the file docProps\app.xml under that extracted folder Metadata values will be encoded in XML

PDF Metadata

Typical XMP PDF Metadata Tags

Author Copyright CreationDate Creator (application name) Keywords Marked (boolean value) ModDate PDFVersion Producer (application name) Subject Title Trapped

The official XMP specification defines only Keywords, PDFVersion, Producer and Trapped. The other tags are included because they have been observed in PDF files

Metadata in JPG Images

Newer digital cameras & phones often geotag images with GPS coordinates Can also potentially identify the specific camera that took a picture Lots of data about specific camera settings at the time the picture was taken Can sometimes identify photo editing software used to alter the image Some images carry an internal thumbnail which can be extracted

Typical Metadata in a Portable Executable File (exe/sys/dll)

Machine Type Time Stamp (compiled) PE Type Linker Version Code Size Initialized Data Size Uninitialized Data Size Entry Point OS Version Image Version Subsystem Version Subsystem (GUI/DOS/Native) File Version Number Product Version Number File Flags Mask

File Flags File OS Object File Type (app/dll) File Subtype Language Code Character Set Company Name File Description File Version Internal Name Legal Copyright Original Filename Product Name Product Version Product Date

Pre-Vista: Thumbs.db

Populated in any folder which has been at one time set to show thumbnails of included images & documents Hidden file, not viewed by most users and not cleaned out when files are removed from the folder Uses OLE compound document format (similar to Office 2K3 and previous) to store:

thumbnail picture of original image or first page of document last modification time original filename

Vista+: Thumbcache

Single, centrally stored file for each user

Located in <profile>\AppData\Local\Microsoft\Windows\Explorer All created when a folder is switched to thumbnail mode or views pictures in a slideshow Even stores thumbnails for pictures/docs/media on removable media, network shares, or encrypted containers Numbered files store actual images, linking to files is done by idx file. Purpose of sr file not yet determined

Thumbcache_32.db (small) Thumbcache_96.db (medium) Thumbcache_256.db (large) Thumbcache_1024.db (extra large) Thumbcache_idx.db Thumbcache_sr.db

Email Forensics

In Transit: Simple Mail Transport Protocol (SMTP)

Remember that all headers added by systems before the earliest system you control could possibly have been spoofed PST/OST (Outlook) DBX (Outlook Express) EML/FOL (Windows Mail) MSF/no ext (Thunderbird) MBX/TOC (Eudora)

At Rest (various storage formats)

Useful SMTP Headers

Received

Message-ID

One added by each SMTP server in the forwarding chain Added by originating SMTP server Unique_identifier@originating_server Optional, added by originating MTA Should match earliest Received header

X-Originating-IP

X-Mailer

Optional Added by creating email client

Attachments

SMTP only allows text Enter Multimedia Internet Mail Extensions (MIME)

Message Segmentation Base64 encoded attachments in their own segments

Spoliation
The destruction or significant alteration of evidence, or the failure to preserve property for anothers use as evidence in pending or reasonably foreseeable litigation A party claiming Spoliation must demonstrate: The party having control of the evidence had an obligation to preserve it at the time it was destroyed The evidence was destroyed with a culpable state of mind The destroyed evidence was relevant to the partys claim or defense such that reasonable trier of fact could find that it would support that claim or defense

Six Phases of the Standard IR Model

1.

2.
3. 4. 5. 6.

Preparation (Important) Identification Containment Eradication Recovery Follow-Up and Lessons Learned (Even More Important)

Link/Shortcut Files (.LNK)

Whenever a file (local or remote) is opened using Explorer, a shortcut file is created:

<profile>\Recent (XP) <profile>\AppData\Roaming\Microsoft\ Windows\Recent (Vista/7) <profile>\AppData\Roaming\Microsoft\ Office\Recent (Vista/7)

Note: In Win7, the link may get created inside a jumplist file

Shortcut file contents

Begins with magic value 4C 00 00 00 (L NULL NULL NULL) Four byte file length at offset 34h (easy to carve) Timestamps from original file when shortcut last accessed Size from original file when shortcut last accessed Volume Info: Name, Type (HD, Removable, Remote, CD), Serial# Network Share Name, if any Long & short filename Original File Path FileLocation (ObjectID [contains MAC address]+ VolumeID)

Two different ones if file has been moved between 2 NTFS volumes

These files are really short, and so are typically resident in their MFT entry.

Prefetch/Superfetch Files (.pf)

Used to increase performance by preloading code pages for commonly used applications Referred to as superfetch in Vista/Win7 Found in %Windir%\Prefetch <Exename>-<8 char hash of path>.pf Prefetch not cleaned out when exe is removed Up to 128 of them can exist at a time

Data in .pf file

File Signature (beginning of file)

XP \x11\x00\x00\x00\x53\x43\x43\x41 (.SCCA) Vista/7 \x17\x00\x00\x00\x53\x43\x43\x41 (.SCCA)

Contains paths of all files & folders accessed by the program in the first 10 seconds Create time indicates when executable was first run Mod date & internal FILETIME indicate last time Run Count Volume path & serial # for all files referenced Prefetch\Layout.ini contains path information File Size: 4-byte quantity at offset 0x000c

Restore Points

Restore Points (XP) created by default every 24 hours so user can restore his system to a previous state if something goes wrong (boot to last known good state), kept 90 days by default Contain copies of all system files & registry entries changed since last restore point Found in C:\System Volume Information\_restore{GUID}\RP###\ Change.log (binary) file maps generic restore point filenames back to their original paths Rp.log last 8 bytes are Windows FILETIME for restore point creation date Snapshot subfolder contains copies of changed registry keys for all hives (only accessible by System on a live host)

Volume Shadow copy Service (VSS)

Vista/7 version of Restore Points, but much more pervasive Tracks all (aggregate) changes made to the filesystem since last Shadow Copy Literally allows entire filesystem or individual files or folders to be rolled back to a previous state Offline filesystem can be mounted as it existed at a previous date Only takes a snapshot periodically (Win7: weekly), not continually. Enabled by default. Typically limited to 15% of volume size

ShellBags: Another Great Registry Artifact

Windows explorer tracks in the registry when youve opened some folder and changed the way it appears on the desktop so it can be the same next time you open it Never cleaned up Binary format Registry keys include timestamp, so you can tell a date when specified folder was accessed. Tracks external shares & removable media, so you have a record of the folder structures on them

ShellBags: Another Great Registry Artifact

Location (XP)

Location (Vista/7)

HKU\*\Software\Microsoft\Shell\Bags HKU\*\Software\Microsoft\Shell\BagMRU HKU\*\Software\Microsoft\ShellNoRoam\Bags HKU\*\Software\Microsoft\ShellNoRoam\BagMRU HKU\*\Software\Microsoft\Windows\CurrentVersion\Explor er\StreamMRU HKU\*\Software\Microsoft\Windows\CurrentVersion\Explor er\RecentDocs

HKU\*\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags HKU\*\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU HKU\*\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\Bags HKU\*\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

NTUSER.DAT Hive

USRCLASS.DAT Hive

Windows 7 Jump Lists

Custom Destinations

Automatic Destinations

<profile>\AppData\Roaming\Microsoft\Windows\R ecent\CustomDestinations\ <AppID>.customDestinations-ms File contains embedded .LNK files which can be carved out, (LNK header is \x4c\x00\x00\x00\x01\x14\x02, file size is 4 bytes at offset 34h) and analyzed
<profile>\AppData\Roaming\Microsoft\Windows\R ecent\AutomaticDestinations\ <AppID>.automaticDestinations-ms Contained data is stored using Structured Storage Format, and can be parsed using MiTeCs Structured Storage Viewer, from which .LNK files can be exported directly

Windows 7 Jump Lists

Replaced the old Quick Launch toolbar from XP Allows user to pin a program to the taskbar for similar functionality Actual implementation substantially more complicated, similar to & used like the old My Recent Documents shortcuts.

Recent Items in the Win7 start menu goes to a folder that contains both shortcuts and Jump Lists

Another way to note opening or creation of files, or to identify previous existence of deleted or wiped files Records file access for specific applications Lists can contain up to several hundred items, though only a few are shown

USB Device & Activity Information

Vendor Model Version Capacity Serial Number (most, but not all) Last Drive Letter Volume Name (filesystem)

Volume Serial Number (filesystem) First Use First Use Since Last Reboot Last Use Other usage timestamps may be in restore points

USB Registry Keys & Values

HKLM\System\CurrentControlSet\Enum\USBS TOR

Subkey named Disk&Ven_<vendor name>&Prod_<product name>&Rev_<product version> Product name text may contain capacity and even color Under this subkey is another named with the devices unique serial number if any If the device has no serial number (non-standard conformant), Windows will create one with an & as the second character. Under the serial number key is a value named ParentIdPrefix (Vista/7 only, used to link to other data)

When was USB device first connected?

Plug and Play Log Files

XP - %windir%\setupapi.log Vista/7 %windir%\inf\setupapi.dev.log

Times in log are in the local timezone for the host Look for first entry for device serial number

Artifact Locations for IE (XP)

Bookmarks/Favorites

<profile>\Favorites
<profile>\Local Settings\History\History.IE5 <profile>\Local Settings\Temporary Internet Files\ Content.IE5 <profile>\Cookies

History (Hidden)

Cache (Hidden)

Cookies

Downloads

<profile>\Downloads

59

Artifact Locations for IE (Vista/Win7)

Bookmarks/Favorites

Cookies:

<profile>\Favorites

History: (Hidden)

<profile>\AppData\Roaming\Microsoft\Windows\Cookies <profile>\AppData\Roaming\Microsoft\Windows\Cookies\Low

Cache: (Hidden)

<profile>\AppData\Local\Microsoft\Windows\History\History. IE5 <profile>\AppData\Local\Microsoft\Windows\History\Low\His tory.IE5

<profile>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 <profile>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Low <profile>\Downloads

Downloads

A word about profile locations

Not always in C:\Documents and Settings Registry configurable default profile locations. Check the following values

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ Default Public ProfilesDirectory System: Windows\System32\Config (default=ntuser.dat)

Builtin account profiles under %Windir% subfolders

System acct web artifacts = evidence of compromise

Index.dat Files

Binary format unchanged since IE 4 Different files use same name & format, but store different data Index.dat files exist in multiple places for tracking of: History Cookies Cache Data Difficult to remove because always locked, but IE settings can clear entries File Signature: Client UrlCache MMF Ver 5.2 Four byte file size starting at byte 28
62

Index.dat Record Types

Four types of record are known (the name of each is also its record signature)

URL - Indicate URIs that were actually requested REDR - Indicate browser was redirected to another site HASH - Hash indexes of the contents of the index.dat file (not useful) LEAK Result of attempt to delete entry while associated cache file is open (other mechanisms possible)
63

IE History

Designed for URL autocompletion Tracks all user browsing history for last 20 days by default If browsing history set to 0 days, still kept, but deleted on system shutdown or next day Also tracks Explorer access to local files For each URL or file, tracks last access timestamp & number of times accessed

Actual History Contents

Master index.dat file under History.IE5 Daily, Weekly, or (potentially) Monthly index.dat files under other folders Folders are named according to the date span covered by the contained file After the 6th day, aggregate daily history content is rolled up into a weekly file Actual files and folders cannot be seen in Windows GUI on live system, but can from the command line using dir /a

Index.dat Record (URL History)

Offset 0 4 8 16

Size Description 4 Signature/Magic Number (URL, REDR, HASH, LEAK) 4 # of 128 byte Blocks in record 8 LastModified FILETIME (URL) 8 LastAccessed FILETIME (URL)

66

IE Cache

Exists to speed up access by using previously obtained local copies of content which has not altered since accessed Not all entries are supposed to be cached (SSL, no-store), but IE6 used to cache a lot of content it shouldnt have Also, the RFCs never formally stated SSL should not be cached Can include references to entries that have been removed in the meantime Cleared entries are wiped more effectively by IE7 and later

A word about cache usage

Some RFCs & Microsoft specifications clearly define what is supposed to be cached

RFC2616 (HTTP 1.1): cache-response-directive = nostore RFC1945 (HTTP 1.0): entries past expiration date not cached (less clear) MS: INTERNET_FLAG_DONT_CACHE, or INTERNET_FLAG_NO_CACHE_WRITE

Developers sometimes misinterpret the meaning of the specifications

For instance, no-cache (http 1.1) and Pragma: nocache (http 1.0) dont mean do not cache. Both mean send request for content even if cached

Older browser versions were very bad at properly interpreting and enforcing these specifications because of this

Cache Artifacts

Index.dat file under Content.IE5 Semirandomly named subfolders contain files with cached content Contain entries for cacheable URLs visited, each of which references a file that may or may not still exist Original filename with bracketed instance number before .ext Folders added in groups of four (if not, investigate why, could be data hiding location)

FYI: Other Temporary Internet Folders Subfolders (Not thoroughly researched)

AntiPhishing Content.MSO Not sure Local copy from external document linking in Office? Content.Outlook Attachment files opened directly in Outlook Content.Word Tempfiles created when Word used as editor for Outlook OLK5432 Unknown Others?

Index.dat Record (Cache URL)

Offset 0 4 8 16 24 92

Size Description 4 Signature/Magic Number (URL, REDR, HASH, LEAK) 4 # of 128 byte Blocks in record 8 LastModified FILETIME (URL) 8 LastAccessed FILETIME (URL) 4 Expiration FATTIME 4 Last Checked FATTIME
71

FATTIME
offset size 0 2 offset size Bit 0 (LSB) value 2 2 value 5 bits description date time description Day of the month

In little-endian the 16-bit date value corresponds to:

Bit 5
Bit 9 offset size

4 bits
7 bits value

Month 0x01 => January

Year 0x00 => 1980 description

In little-endian the 16-bit time value corresponds to:

Bit 0 (LSB)
Bit 5 Bit 11

5 bits
6 bits 5 bits

Seconds in 2 second intervals

Minutes Hours

IE Cookies

Cookies exist to add state information to web browser sessions Not all sites use them Small text files (persistent cookies) Session cookies in memory only Included data:

Issuing website Account on that site NTFS FILETIMEs Website specific data in cookie Some cookie data is encrypted & some is not

Index.dat Record (Cookie URL)

Offset 0 4 8 16 24 84 92

Size Description 4 Signature/Magic Number (URL, REDR, HASH, LEAK) 4 # of 128 byte Blocks in record 8 LastModified FILETIME (URL) (last changed by server) 8 LastAccessed FILETIME (URL) (last uploaded) 4 Expiration FATTIME 4 Hits (times uploaded) 74 4 Last Checked FATTIME

Sample Google Analytics Tracking Cookie __utma (Timestamps in UNIX Epoch Time)

Contents similar to XXXX.RRRR.FFFF.PPPP.CCCC.N

XXXX Hash of clients domain RRRR Random unique ID for client (this is what makes it a tracking cookie) FFFF Date of first visit to site (probably following the last clear of cookies) PPPP Timestamp of previous (last) visit CCCC Current timestamp N Number of sessions since first visit (Incremented each time new session started after first)

IE Downloads

Often saved to default locations

XP default download folder defined by registry value HKCU\Software\Microsoft\Internet Explorer\Download Directory Defaults to the users desktop Vista/Win7 uses <profile>\Downloads\ as default If file opened rather than saved, temp copy created in IE cache folder, never cleaned unless manually IE9 has separate index.dat for downloads

IE Auto-Complete (other than history)

Typed URLs registry key maintains list of last 25 URLs typed by the user

HKU\*\Software\Microsoft\InternetExplorer\Ty pedURLs

IE Auto-Complete (other than history)

Protected Storage (IE4-6; Also used by Outlook Express & MSN Explorer)

Form Autofill Field Data Accounts & Passwords (Web, FTP, Others)[checkbox] Encrypted on disk but not in memory. Trivial to acquire from live system, & crackable from a dead one (IE4-6) HKU\*\Software\Microsoft\Protected Storage System Provider\<SID>

(IE7+) HKU\*\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

Encrypted But key is name of website

Changes in Vista/Win7

As mentioned previously, file locations have changed Protected Mode web browsing is performed as an unprivileged user

This is where the 2nd Low filename comes from in the various file artifacts There are two sets because not all operations use Protected Mode IE7-9 all support Protected Mode on Vista/Win7

IE8/9 Automatic Crash Recovery

Complete activity tracking for current & previous session Enabled by default (even in InPrivate Mode). Deleted (but often recoverable) when History cleared Information tracked:

Tabs Open List of websites viewed in each tab, with referrers for each Session end time Time each tab was opened (Only if a crash occurred or if for some other reason files are still present in the Active folder) Code from the page Form data & Other artifacts

IE8/9 Crash Recovery Folders

XP (IE8 Only)

Vista/Win7

<profile>\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active <profile>\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active Current: <profile>\AppData\Local\Microsoft\Internet Explorer\Recovery\Active Previous: <profile>\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active

Files have .dat extension & are stored in Structured Storage Format

Like Jump Lists, can be examined using MiTeC Structured Storage Viewer

IE8/9 Suggested Sites

Opt-in or out at install time Data located in <profile>\AppData\Local\Microsoft\Wind ows\Temporary Internet Files\Low\SuggestedSites.dat Tracks all sites visited to suggest similar ones Does not track local, HTTPS, or InPrivate browsing Normally deleted when history is, but may get out of sync. May not be handled by 3rd party wiping utilities.

SuggestedSites.dat

Starts out 5M in size Records Include in order:

URL of visited page (null terminated) Title of visited page (null terminated) URL of referring page (null terminated) 5 unknown bytes Windows FILETIME when page visited

Could probably write a simple perl or python script to parse Unknown binary format, so view with a hex editor Didnt test this myself. All direct data from Internet sources

IE8/9 InPrivate (Porn) Browsing Mode

So whats left?

Recover deleted cache files Session Recovery files (& deleted session recovery files) Incompletely cleaned remnants from index.dat Network traffic or proxy logs Data from memory if you can get it

IE Browser Helper Objects

A Browser Helper Object (BHO) is a DLL module designed as a plugin for Microsoft's Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most BHOs are loaded once by each new instance of Internet Explorer. However, in the case of Windows Explorer, a new instance is launched for each window. HKLM\SOFTWARE\Microsoft\Windows\CurrentVe rsion\Explorer\Browser Helper Objects\<CLSID> Details of BHO under

HKLM\SOFTWARE\Classes\CLSID\<CLSID>

Flash Cookies/Local Shared Objects

Potentially much larger that regular cookies Not cleared when they are. .SOL file extension Usually stored in folders under:

Vista/Win7: <profile>\AppData\Roaming\Macromedia\Flash Player XP: <profile>\Application Data\Macromedia\Flash Player

Sometimes found in other locations Until recent updates, no easy way to clear

Java Downloads

Another separate application, but potentially runs downloaded code Applets are used as normal web content, but sandbox escape is easy on old versions, which are disturbingly common Cache folder:

XP: <profile>\Application Data\Sun\Java\Deployment\cache\6.0 Vista/Win7: <profile>\AppData\LocalLow\Sun\Java\Deplo yment\cache\6.0\6

Java Downloads

IDX files in this cache are Java applet cache indexes Included data:

Filename URL downloaded from IP of source host last modified date downloaded date

IE8/9 DOM Storage

HTML 5.0 equivalent to Flash Cookies Located in XML files and Index.dat under:

XP: <profile>\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore Vista/Win7: <profile>\AppData\Local\Microsoft\Intern et Explorer\DOMStore

Basic Types of Searching

Regular: Actually searches in realtime after search terms are defined Indexed: Preprocesses data to extract indexes of all strings, then uses these indexes to optimize searching.

Implementations vary & frequently produce false negatives (Examples: Nuix, Dtsearch, EnCase, FTK) Much faster than regular searches once index is constructed A very useful tool, but not something to depend on

Composing Search Terms

Always search for unicode as well as ASCII. This is used in many places by Windows. You may also want to use caseinsensitive mode Use regular expression syntax to filter out false positives for short keywords, to match values that cant be expressed in normal ASCII, or to match abstract patterns such as credit card numbers, SSNs, or IP addresses

Regular Expressions

Exact supported syntax varies from tool to tool, but in general, the following primitives should work:

. - match any single character [] Defines a character class, a list of characters inside the brackets which will match in this character position (may contain inclusive ranges such as a-z) [^] Defines a negated character class, a list of characters after the carat which will not match in this character position (may contain inclusive ranges such as a-z) * - 0 or more repeats of the element in the preceding position + - 1 or more repeats of the element in the preceding position ? 0 or 1 repeats of the element in the preceding position {m,n} - minimum of m or maximum of n repeats of the element in the preceding position () - grouping of elements | - alternation of preceding and following elements (either/or) \ - escape of a literal metacharacter such as any of the following []-^*+?(){}\ in contexts where they would otherwise be interpreted as specified above

Important Things Extractable from Memory

Registry Keys & Values Password Hashes Process List Loaded DLL lists for each process Open net connections & sockets Cmd.exe history

Questions?

94