Professional Documents
Culture Documents
Week 8
Copyright 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Announcements
We will be spending some of the last class period (Week 10) reviewing for the final
Quiz #2 Review
Without doing these phases properly, theres generally no improvement over time IR is a continuous process, not an isolated event
5
Windows Event Log Record Also the magic value for the file
NT/2K/XP/2K3
Vista/7/2K8
.evt files %systemroot%\System32\config SecEvent.evt, Appevent.evt, Sysevent.evt, sometimes others File Header/Magic Number in bytes 4-8 LfLe Header in 2nd 4 bytes of each record LfLe (same as file header) 2 timestamps per record (generated & recorded) UNIX Epoch time format .evtx files %systemroot%\System32\winevt\logs SecEvent.evtx, Appevent.evtx, Sysevent.evtx, many others Header in 1st 4 bytes: 0x2a, 0x2a, 0x00, 0x00 (two asterisks followed by two null bytes) Logs can be sent to a remote log collector Binary XML format
File locations can be changed in the registry UNIX Epoch time = #seconds since 00:00 Jan 1st, 1970 GMT
You should know, at least vaguely, what sorts of metadata information may be available in various common document formats I might have asked about other file types
You might go back and take another look at this section in week 4
8
Title Subject Author Keywords Comments Template Last author Revision number Application name Last print date Creation date Last save time Total editing time Number of pages Number of words Number of characters
Security Category Format Manager Company Number of bytes Number of lines Number of paragraphs Number of slides Number of notes Number of hidden Slides Number of multimedia clips Hyperlink base Number of characters (with spaces)
10
These two formats are closely related to one another Various utilities can convert OST to PST These are the most common Windows mail formats in corporate examinations
11
Prefetch file
12
Contains paths of all files & folders accessed by the program in the first 10 seconds Create time indicates when executable was first run Mod date & internal FILETIME indicate last time Run Count Volume path & serial # for all files referenced Prefetch\Layout.ini contains path information File Size: 4-byte quantity at offset 0x000c
8: Jumplist Contents
14
Custom Destinations
Automatic Destinations
<profile>\AppData\Roaming\Microsoft\Windows\Re cent\CustomDestinations\ <AppID>.customDestinations-ms File contains embedded .LNK files which can be carved out, (Begins with LNK header: \x4c\x00\x00\x00\x01\x14\x02, size is 4 bytes at offset 34h) and analyzed
<profile>\AppData\Roaming\Microsoft\Windows\Re cent\AutomaticDestinations\ <AppID>.automaticDestinations-ms Contained data is stored using Structured Storage Format, and can be parsed using MiTeCs Structured Storage Viewer, from which .LNK files can be exported directly
Lists may contain up to several hundred items, though user only sees a few
512 is the sector size (not the Cluster size a bunch of people made this mistake) Whats a sector (anybody?)
Sector is minimum disk access/allocation unit Cluster is minimum filesystem access/allocation unit
Mmls returns volume/partition offset in sectors from beginning of disk Mount command requires volume/partition offset in bytes from beginning of disk 16
A few more words about Volume Shadow Copies Internet Explorer Browser Forensics
When a VSC is created, all Windows does is allocate a place to save overwritten disk clusters Subsequently, whenever a cluster is written (but only if it hasnt been written to since the VSC was created) that cluster is first copied into this VSC area by the VSCS So the VSC will always contain an old copy of all clusters that have been written at least once since the VSC was created 18
Viewing VSCs
When we do the mklink to point at the VSC, were doing a virtual mount trick similar to what we do to examine images in the SIFT Kit Windows virtually substitutes back all the old copies of overwritten clusters in that view So the disk (except for the VSC area itself?) now appears exactly as it did when the VSC was created Consider though: What happens if the VSCS is disabled for some period of time?
19
Browser Forensics
Includes anything that uses WinInet API Technically goes back to version 3, but Im not going to torture you with Windows 3.1, 95, or NT
FireFox (1.5-10) Safari (3-5) [older versions Mac only] Chrome (1-18) Opera (2-11)
Internet Explorer 20.1% Firefox 37.1% Chrome 35.3% Safari 4.3% Opera 2.4%
21
Text HTML (3-5) Images (GIF, JPG, PNG, BMP) Video (MPEG, Flash) Plugins for virtually anything
22
23
What sites were visited? How many times? When? (last, others) What sites were saved by the user? What files were downloaded ? What usernames & credentials were used? What searches did the user run? What information did the user exchange with the site? 24
There are lots of hidden files and folder structures in Windows Like with the registry, monkeying around in these locations can break things To view these:
Open Folder Options Control Panel Select Show Hidden files and folders Uncheck Hide protected OS files
25
Internet Explorer
6.0 Released with XP. Well past its sellby date, yet still encountered frequently, especially in corporate environments 7.0 Released on Vista (wont run on Win2K) 8.0 Released on Win7 9.0 Wont run on XP. Last to use common db (index.dat) format 10.0 Released on Win8. Whole new ballgame Later versions have significant differences 26
Bookmarks/Favorites
<profile>\Favorites
<profile>\Local Settings\History\History.IE5 <profile>\Local Settings\Temporary Internet Files\ Content.IE5 <profile>\Cookies
History
Cache
Cookies
Downloads
<profile>\Downloads
27
Bookmarks/Favorites
Cookies:
<profile>\Favorites
History:
<profile>\AppData\Roaming\Microsoft\Windows\Cookies <profile>\AppData\Roaming\Microsoft\Windows\Cookies\Low
Cache:
Downloads
Not always in C:\Documents and Settings Registry configurable default profile locations. Check the following values
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\
Default Public ProfilesDirectory
Builtin account profiles such as System are under various %Windir% folders
Windows\System32\Config
Index.dat Files
Binary format unchanged since IE 4 Different files use same name & format, but store different data Index.dat files exist in multiple places for tracking of: History Cookies Cache Data Difficult to remove because always locked, but IE settings can clear entries File Signature: Client UrlCache MMF Ver 5.2 30 Four byte file size starting at byte 28
URL - Indicate URIs that were actually requested REDR - Indicate browser was redirected to another site HASH - Hash indexes of the contents of the index.dat file (not useful) LEAK Result of attempt to delete entry while associated cache file is open (other mechanisms possible)
31
Offset 0 4
Size Description 4 Signature/Magic Number (URL, REDR, HASH, LEAK) 4 # of 128 byte Blocks in record
32
Index.dat Timestamps
Modified time should be when web server last updated file Accessed time should be when file last downloaded
However actual timestamp usage varies depending on exactly what kind of index.dat file the data is contained within
IE History
XP Location:
<profile>\Local Settings\History\History.IE5
<profile>\AppData\Local\Microsoft\Windows\ History\History.IE5 <profile>\AppData\Local\Microsoft\Windows\ History\Low\History.IE5
Vista/Win7 Location:
(well get to why you cant see this folder normally in a minute)
34
IE History
Designed for URL autocompletion Tracks all user browsing history for last 20 days by default If browsing history set to 0 days, still kept, but deleted on system shutdown or next day Also tracks Explorer access to local files For each URL or file, tracks last access timestamp & number of times accessed
Shows Human-Readable Content Folders or individual entries can be manipulated/deleted directly Changes made here are propagated to the underlying index.dat files by Windows Last Accessed time shown is in local system timezone
Master index.dat file under History.IE5 Daily, Weekly, or (potentially) Monthly index.dat files under other folders Folders are named according to the date span covered by the contained file After the 6th day, aggregate daily history content is rolled up into a weekly file Actual files and folders cannot be seen in Windows GUI on live system, but can from the command line using dir /a
Offset 0 4 8 16
Size Description 4 Signature/Magic Number (URL, REDR, HASH, LEAK) 4 # of 128 byte Blocks in record 8 LastModified FILETIME (URL) 8 LastAccessed FILETIME (URL)
42
IE Cache
XP Location:
<profile>\Local Settings\Temporary Internet Files\ Content.IE5 <profile>\AppData\Local\Microsoft\Windows\ Temporary Internet Files\Content.IE5 <profile>\AppData\Local\Microsoft\Windows\ Temporary Internet Files\Content.IE5\Low
Vista/Win7 Location:
IE Cache
Exists to speed up access by using previously obtained local copies of content which has not altered since accessed Not all entries are supposed to be cached (SSL, no-store), but IE6 used to cache a lot of content it shouldnt have Also, the RFCs never formally stated SSL should not be cached Can include references to entries that have been removed in the meantime Cleared entries are wiped more effectively by IE7 and later
Some RFCs & Microsoft specifications clearly define what is supposed to be cached
RFC2616 (HTTP 1.1): cache-response-directive = no-store RFC1945 (HTTP 1.0): entries past expiration date not cached (less clear) MS: INTERNET_FLAG_DONT_CACHE, or INTERNET_FLAG_NO_CACHE_WRITE
Older browser versions were very bad at properly interpreting and enforcing these specifications because of this
For instance, no-cache (http 1.1) and Pragma: nocache (http 1.0) dont mean do not cache. Both mean send request for content even if cached
IE Cache Size
Cache Subfolders
Cache Artifacts
Index.dat file under Content.IE5 Semirandomly named subfolders contain files with cached content Contain entries for cacheable URLs visited, each of which references a file that may or may not still exist Original filename with bracketed instance number before .ext Folders added in groups of four (if not, investigate why, could be data hiding location)
AntiPhishing Content.MSO Not sure Local copy from external document linking in Office? Content.Outlook Attachment files opened directly in Outlook Content.Word Tempfiles created when Word used as editor for Outlook OLK5432 Unknown Others?
Offset 0 4 8 16 24 92
Size Description 4 Signature/Magic Number (URL, REDR, HASH, LEAK) 4 # of 128 byte Blocks in record 8 LastModified FILETIME (URL) 8 LastAccessed FILETIME (URL) 4 Expiration FATTIME 4 Last Checked FATTIME
53
FATTIME
offset size 0 2 offset size Bit 0 (LSB) value 2 2 value 5 bits description date time description Day of the month
Bit 5
Bit 9 offset size
4 bits
7 bits value
Bit 0 (LSB)
Bit 5 Bit 11
5 bits
6 bits 5 bits
Modified: When content last saved to cache file (UTC) Accessed: When content last viewed in browser (UTC) Expiration: Set by server to ensure content retrieved again if accessed after specified date (UTC) Last Checked: When site last compared to cache. By default, same as last access, but modified browser settings could prevent recheck (UTC)
IE Cookies
XP Location:
<profile\Cookies
<profile>\AppData\Roaming\Microsoft\ Windows\Cookies <profile>\AppData\Roaming\Microsoft\ Windows\Cookies\Low
Vista/Win7 Location:
IE Cookies
Cookies exist to add state information to web browser sessions Not all sites use them Small text files (persistent cookies) Session cookies in memory only Included data:
Issuing website Account on that site NTFS FILETIMEs Website specific data in cookie Some cookie data is encrypted & some is not
Offset 0 4 8 16 24 84 92
Size Description 4 Signature/Magic Number (URL, REDR, HASH, LEAK) 4 # of 128 byte Blocks in record 8 LastModified FILETIME (URL) 8 LastAccessed FILETIME (URL) 4 Expiration FATTIME 4 Hits 4 Last Checked FATTIME 58
Last Acessed: Last time cookie uploaded Last Modified: Last time website modified cookie Last Checked: Last time cookie expiration was checked Expiration: Date after which cookie will no longer be accepted Hits: How many times cookie was uploaded
I put this in the IE section simply because cookie data is so easy to get at there. Other browsers typically use storage methodologies that require more effort to extract data from.
Google Analytics cookies are used by many sites to track access Lots of sites use completely custom cookie data or encrypt it, but always take a look. You may be surprised what you can find there.
Ive seen an example of Mapquest.com, actually storing unencrypted location history (physical addresses) there.
XXXX Hash of clients domain RRRR Random unique ID for client FFFF Date of first visit to site (probably following the last clear of cookies) PPPP Timestamp of previous (last) visit CCCC Current timestamp N Number of sessions since first visit (Incremented each time new session started after first)
__utmb
XXXX = The Domain Hash. P = Pages of the site viewed in most recent session C = Timestamp of most recent session
__utmz
XXXX Hash of clients domain. TTTT Timestamp when cookie last set V Total visitor sessions (supposed to be the same as last # in __utma) S Count of different referrers followed to this site Utmcsr{source} Last referrer domain Utmccn{campaign} Ad followed if any Utmcmd{medium} Search channel information (paid ad, etc.) Utmctr{keyword} Search term used to find site
IE Favorites (<profile>\Favorites)
Stored as .URL files Contains complete target URL File timestamps show creation, last written, and last accessed times Its also possible to import favorites from other sources, so timestamps may reflect that instead of their acual creation by the user
IE Downloads
XP default download folder defined by registry value HKCU\Software\Microsoft\Internet Explorer\Download Directory Defaults to the users desktop Vista/Win7 uses <profile>\Downloads\ as default If file opened rather than saved, temp copy created in IE cache folder, never cleaned unless manually IE9 has separate index.dat for downloads
Typed URLs registry key maintains list of last 25 URLs typed by the user
HKU\*\Software\Microsoft\InternetExplorer\Ty pedURLs
#1 is most recent
Protected Storage (IE4-6; Also used by Outlook Express & MSN Explorer)
Form Autofill Field Data Accounts & Passwords (Web, FTP, Others)[checkbox] Encrypted on disk but not in memory. Trivial to acquire from live system, & crackable from a dead one (IE4-6) HKU\*\Software\Microsoft\Protected Storage System Provider\<SID>
These are great for using in cracking attempts against encrypted files since people often reuse the same passwords elsewhere You will rarely be authorized to log into the other accounts referenced You can provide usernames to legal for subpoena generation from other account providers
Changes in Vista/Win7
As mentioned previously, file locations have changed Protected Mode web browsing is performed as an unprivileged user
This is where the 2nd Low filename comes from in the various file artifacts There are two sets because not all operations use Protected Mode IE7-9 all support Protected Mode on Vista/Win7
Changes in IE7
Move away from Protected Storage use Added the Delete All button to clear browser artifacts
When clearing entries, IE6 did a poor job of cleaning out index.dat records. IE7 does a more thorough job, but some records can still be retrieved.
Changes in IE8/9
New Artifacts
Complete activity tracking for current & previous session Enabled by default (even in InPrivate Mode). Deleted (but often recoverable) when History cleared Information tracked:
Tabs Open List of websites viewed in each tab, with referrers for each Session end time Time each tab was opened (Only if a crash occurred or if for some other reason files are still present in the Active folder) Code from the page Form data & Other artifacts
XP (IE8 Only)
Vista/Win7
<profile>\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active <profile>\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active Current: <profile>\AppData\Local\Microsoft\Internet Explorer\Recovery\Active Previous: <profile>\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active
Files have .dat extension & are stored in Structured Storage Format
Like Jump Lists, can be examined using MiTeC Structured Storage Viewer
Each TL# stream is a different site visited in this tab. Each includes the following data in unicode (complete format not well understood):
Full path & Referring path Page code to reconstruct Form data and other data, possibly including passwords
TravelLog contains forward/back button use, but theres no reference for the format
File signature: D0CF11E0A1B11AE1 No easy way to find the total size of the file Can still carve, just allow larger than expected file size
Opt-in or out at install time Data located in <profile>\AppData\Local\Microsoft\Wind ows\Temporary Internet Files\Low\SuggestedSites.dat Tracks all sites visited to suggest similar ones Does not track local, HTTPS, or InPrivate browsing Normally deleted when history is, but may get out of sync. May not be handled by 3rd party wiping utilities.
SuggestedSites.dat
URL of visited page (null terminated) Title of visited page (null terminated) URL of referring page (null terminated) 5 unknown bytes Windows FILETIME when page visited
Could probably write a simple perl or python script to parse Unknown binary format, so view with a hex editor Didnt test this myself. All direct data from Internet sources
When used, opens a new browser session that records & saves less data No History data saved All cookies treated as session cookies (No files created. Memory only) Typed URL & Form data not saved Cache files are created, but deleted at end of session Cache index.dat file may not be completely cleared You may want to have your admins disable via group policy (can prevent history clearing too)
Recover deleted cache files Session Recovery files (& deleted session recovery files) Incompletely cleaned remnants from index.dat Network traffic or proxy logs Data from memory if you can get it
NOT from InPrivate Browsing Mode sessions Result of InPrivate Filtering enabled to prevent upload of tracking information
A Browser Helper Object (BHO) is a DLL module designed as a plugin for Microsoft's Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most BHOs are loaded once by each new instance of Internet Explorer. However, in the case of Windows Explorer, a new instance is launched for each window. HKLM\SOFTWARE\Microsoft\Windows\CurrentVe rsion\Explorer\Browser Helper Objects\<CLSID> Details of BHO under
HKLM\SOFTWARE\Classes\CLSID\<CLSID>
Macromedia/Adobe Flash
Plugin for most web browsers Effectively a separate application, but not installed like one Lives in: C:\WINDOWS\system32\Macromed\Flash Has a built-in scripting language; Actionscript Can make independent web requests
Potentially much larger than regular cookies Not cleared when they are. .SOL file extension Usually stored in folders under:
Sometimes found in other locations Until recent updates, no easy way to clear
http://www.macromedia.com/support/docum entation/en/flashplayer/help/settings_manag er07.html Visits to this site can be an indication of attempted history removal
User/website access (full folder path) First/last access time (file timestamps) Data stored by the site (may be encrypted)
Java Downloads
Another separate application, but potentially runs downloaded code Applets are used as normal web content, but sandbox escape is easy on old versions, which are disturbingly common Cache folder:
Java Downloads
IDX files in this cache are Java applet cache indexes Included data:
Filename URL downloaded from IP of source host last modified date downloaded date
Java Exploitability
Old versions of Java did not upgrade themselves, just installed new versions alongside the old ones Web applications that knew the correct path to the old version could still access it. Theres lots of this still out there Specific versions of Java install with many applications, and arent necessarily upgraded because the security issues dont affect the applications they support
HTML 5.0 equivalent to Flash Cookies Located in XML files and Index.dat under:
Up to 10MB per user & per site for any data a site cares to cache. Examples include:
Does not expire, but is cleared when cookie are Prediction: In about ten years, HTML5 will be about like Java & Flash are now
Differences in IE 10
IE 10 Registry Keys
TypedURLSTime
IE 10 Files/Folders
Questions?
98