Inves&ga&ng

Coordinated Data Exltra&on

Golden G. Richard III
University of New Orleans and Digital Forensics Solu9ons, LLC &

Andrew Case
Digital Forensics Solu9ons, LLC

Speakers Introduc&on (1)

Golden G. Richard III Professor of Computer Science and University Research Professor @ University of New Orleans Director, Greater New Orleans Center for Informa9on Assurance (GNOCIA) Co-founder, Digital Forensics Solu9ons, LLC GCFA cert United States Secret Service Cybercrime Taskforce Member of the American Academy of Forensic Sciences (AAFS)

Speakers Introduc&on (2)

Andrew Case Senior Security Analyst GCFA cert Blackhat, DFRWS, and SOURCE speaker Experienced digital forensics inves9gator, penetra9on tester, and reverse engineer

Digital Forensics Solu&ons / UNO

Digital Forensics Solu9ons, LLC
New Orleans company with oces in the Garden District Full service digital forensics, data recovery Rela9onships for seamless digital forensics / e-discovery Security assessment, secure erasure of media, security training Research: new tools and techniques

GNOCIA / University of New Orleans

Pioneering curriculum in digital forensics and reverse engineering Digital forensics research: new tools and techniques Educa9on: Crea9ng a strong local tech workforce Liaison with local, state, federal law enforcement to solve dicult cases

The Purpose of This Talk

Provide some basic background on digital forensics techniques applicable to data exltra9on cases Illustrate the extent to which data exltra9on can be performed in a straighZorward manner on a normal computer And how data exltra9on can be inves9gated A recent case we inves9gated required analyzing almost every common data exltra9on technique We believe this case serves as a great learning example for other inves9gators

Digital Forensics?
(Benevolently) prey on mechanisms designed with performance (not privacy) in mind Crea9ve uses of data intended mostly for other things Correla9on of simplis9c data sources to create richer context In some cases: logs, etc. actually meant to be used for forensic purposes

Agenda
Introduc9on to Data Exltra9on Issues Overview of our Recent Case How to Inves9gate Exltra9on Wri9ng a Proper Case Report Conclusion

[Some brief background on various digital forensics issues and techniques as we goplease feel free to ask ques&ons to clarify anything that isnt clear]

Data Exltra&on Introduc&on

Data exltra9on is the removal of sensi9ve informa9on from an owners control Common examples include:
A rogue employee removing informa9on from a companys computer systems Aaackers stealing data aber they have gained access to an internal network Malware stealing and expor9ng sensi9ve data

How Exltra&on Occurs

1. A malicious user (or program) gets access to sensi9ve data 2. The data is then gathered and moved outside of the owners network 3. Commonly used methods
Removable Media (USB, CD/DVD, Smartphones) Internet-Based (Email, File Uploads, Dropbox, FTP, SCP, etc.) Malware (transmission via email, TCP, UDP, etc.)

10

Consequences of Exltra&on
Consequences can be severe Immediate eect:
Loss of intellectual property and other sensi9ve informa9on Expensive incident response process must begin Possible requirements for disclosure to be made and compensa9on of aected par9es

Long term eect:

Loss of trust by clients Liability / Lawsuits / Other legal issues

11

Our Scenario

12

Preliminary Informa&on
A former employee of a nancial ins9tu9on (our client) was suspected of stealing sensi9ve informa9on and using it to bring business to his new employer We were to inves9gate:
1. 2. 3. 4. Was data stolen? If so, how? What data was taken If other people were involved in the incident

13

Data/Equipment to Inves&gate
We were given the suspected users laptop The users Blackberry was remote wiped upon his leaving the company as per-policy
No backups made before wiping Never got access to this informa9on

We were supposed to receive a copy of the users archived Outlook email (PST le)
This was never provided

14

Inves&ga&on

15

Ini&al Analysis
Imaged hard drive of laptop The suspects laptop was running XP SP2 Internet Explorer only browser installed The user was not a local administrator The machine had over 20 System Restore Points
We will be discussing the importance of this throughout

16

System Restore Points

System Restore Points are created to backup cri9cal les when de-stabilizing opera9ons are performed on the OS
System updates 3rd Party sobware installa9ons Installa9on of unsigned drivers

Good source for historical copies of the Windows registry In our case, System Restore Points allowed orderly examina9on of data over ve months old

17

Inves&ga&on Flow
Inves9gate Removable Media
Determine which removable media was used, which les were moved, when they moved, and to where

Inves9gate Web Based Ac9vity

Determine if les were transferred over network

Inves9gate Accessed Files

Find any les that were inappropriately accessed

Determine if other people were involved

Look for emails and other communica9on

18

Inves&ga&ng Removable Media

19

First Steps
USB history analysis typically requires analyzing two sources:
USBSTOR registry informa9on The setupapi.log le Renamed and split under Win7:
setupapi.app.log and setupapi.dev.log

Details aber a brief discussion of the Windows registry

20

Briey: Windows Registry

21

Windows Registry
Can be a forensics goldmine Lots of informa9on, fairly dicult to clean Usernames Internet history Program installa9on informa9on Recently accessed les Devices (USB, et al) Network congura9on

22

Registry: Windows 9x
On Windows 95/98: system.dat and user.dat les If mul9ple users, look in \Windows\proles\<acct> for individual user.dat les system.dat
System-wide informa9on

user.dat (one original one, then others as users are created)

User informa9on

Careful, because on Windows 9x, new user proles are oben based on previously created proles!

23

Registry: NT/Win2K/XP
ntuser.dat
List of most recently used les Each user has a separate ntuser.dat le \documents and sesngs\user Ini9al system sesngs

default in \<windowsdir>\system32\cong SAM

User account sesngs, security sesngs Security-related sesngs Installed programs, sesngs, usernames, passwords Misc. system sesngs

security

sobware system

24

Last Write Times for Registry Keys

25

** VERY IMPORTANT ** Select key chooses which control set is current, which is last known good congura9on SYSTEM le
Copyright 2004-2011 by Golden G. Richard III.

26

What user accounts are on the machine?

SAM le

Copyright 2004-2011 by Golden G. Richard III.

27

Which &mezone does the computer use?

SYSTEM le
Copyright 2004-2011 by Golden G. Richard III.

28

Which les were recently accessed by a par&cular user?

NTUSER.dat le

Copyright 2004-2011 by Golden G. Richard III.

29

Which URLS were typed recently by a par&cular user?

NTUSER.dat le

Copyright 2004-2011 by Golden G. Richard III.

30

SOFTWARE le
Which programs are installed on the machine? Which license keys are in use?

Copyright 2004-2011 by Golden G. Richard III.

31

Which programs run automa&cally when a par&cular user logs in?

NTUSER.dat le

Copyright 2004-2011 by Golden G. Richard III.

32

Which programs run automa&cally when ANY user logs in?

SOFTWARE le

Copyright 2004-2011 by Golden G. Richard III.

33

Two Jumpdrive Elite thumbdrives 750GB USB hard drives (same type)
What has been plugged in?

SYSTEM le
Copyright 2004-2011 by Golden G. Richard III.

34

Networking info

SYSTEM le

Copyright 2004-2011 by Golden G. Richard III.

35

Disk info

SYSTEM le
Copyright 2004-2011 by Golden G. Richard III.

36

Summary: Registry Forensics

Last write 9mes for individual registry keys can be used to infer useful informa9on Overall, lots of informa9on, some of which cant be obtained elsewhere Extreme care is needed during analysis Lots of mysterious data Much of the informa&on is essen&ally undocumented and meaning is determined experimentally

37

USBSTOR
The SYSTEM registry hive contains a history of connected USB devices
Registry les backed up by System Restore Point facility

All of this informa9on is stored under the CurrentControlSet\Enum\USBSTOR key

Contains an entry for each USB device that was connected to the machine Also contains the Friendly Name and serial number of each aaached device

The only 9mestamp informa9on available is last wriaen 9me for key corresponding to par9cular USB device!

38

Analyzing the Registry Files

Aber gathering all of the SYSTEM les
Current Historical (via System Restore Points)

Used Regripper [6] USBSTOR plugin to enumerate previously aaached USB devices Then wrote a wrapper script to dump this informa9on into Excel Now we had informa9on on connected USB devices going back many months

 Eight USB drives were used during the target 9me range
Six were thumb drives with capacity ranging from 2 to 8GB One USB device was the previously men9oned users Blackberry smartphone Last was a digital camera

Results of USBSTOR Analysis

39

Next step was to determine the extent of use for the six thumb drives

40

Analyzing setupapi.log
Text le in c:\Windows (under XP) Tracks device installa9on, service-pack installa9on, hoZix installa9on, etc. for the setup applica9on Reveals the rst 9me each device was plugged in, as Windows selects appropriate device drivers USBSTOR registry key tells us the last 9me a device was connected We used SetupAPI Extractor [15] to analyze the le rather than simply viewing it as a text le

41

Using setupapi.log Informa&on

Using the rst and last connect 9mes gives us a 9me range for each device Use this informa9on to assign drive leaers to specic thumb drives
Discussed next

Also helped build a clearer 9meline of the suspected users ac9vity

42

Inves&ga&ng Individual Drives

Used procedure illustrated on next slide to determine:
Drive leaer mapped to a USB device The rst and last 9me each device was connected

Have to be careful when assigning drive leaers

Mul9ple drives can be mapped to same leaer over 9me Need to correlate 9me informa9on between drive and les accessed to substan9ate

43

USB Analysis Process [4][5][11]

44

Inves&ga&ng Network-Based Exltra&on

45

Email Examina&on: Overview

Two email services were used to exltrate les: We were told during the pre-inves9ga9on phase that the IT team knew of a Gmail account for the user under inves9ga9on Needed to nd all contact with suspects new employer while s9ll employed by our client We didnt have PST access, our only hope was web- based email Knew that only fragments would be recovered from Gmail
Gmail Company Email (Exchange)

46

Inves&ga&ng Gmail
Two pieces of evidence were discovered from Gmail:
A number of le exltra9on instances Evidence of contact between suspect and new employer well before our client suspected

How did we nd this informa9on?

47

Gmail: Technical Details

Gmail makes a number of eorts to avoid disk forensics of messages read and sent
Puts messages in separate iframes Uses SSL and no-cache browser direc&ves

Uses similar techniques for other parts of the Gmail interface

Contacts, labels, searches, etc.

Essen9ally, simple examina9on of browser cache isnt going to yield much

48

Scalpel Overview
File carving is typically used to recover deleted les, based on the structure of le types Scalpel is a le carver [3], but can also be used as a very ecient indexer for specic search terms
Latest version is mul9threaded and can use GPUs (CUDA) for high performance opera9on

The audit le created by Scalpel (audit.txt) contains loca9ons of every discovered instance of every search term

49

Using Scalpel
We ran Scalpel to nd all instances of the new employers email domain We then used the Sleuthkit to quickly map these osets to les within the lesystem
See [2] for an updated method on how to do this

Produced hits in both web cache les and pagele.sys, the Windows swap le

50

pagele.sys Analysis
Hits in pagele are on previously viewed Gmail Inbox indices (illustrated on the next slide) These indices contain a number of useful ar9facts about email messages:
Time received Message fragment Sender Aaachment names (if any)

51

Gmail Inbox View

The image above is a screenshot of the Inbox view The default view shows 50 messages We were able to recover a number of instances of these using Scalpel on the pagele

52

U&lizing Message Fragments

Aber gathering all message indices discovered in the pagele We created a new Scalpel cong le and carved again on the pagele to try to recover message fragments This produced fragments of en9re message bodies sent through Gmail by the rogue employee
This is where it got interes9ng!

53

Message Fragments: Gold Mine

The recovered message bodies revealed the employee under inves9ga9on had contacted his new employer a number of months before leaving the company Well before our client had suspected The uncovered messages were par9cularly damaging Revealed precise details of plan to steal and later u9lize our clients data

54

Gmail Aeachments
Aber discovering aaachment names in the fragments, we used this data to discover which les were transferred Analysis revealed a number of les were emailed from the users local Outlook installa9on to his Gmail account Filenames were matched to those in LNK les and MRU lists (discussed later)

55

Inves9ga9ng Web Browser Ac9vity

56

History Cache

Three Components of Browser Ac&vity

Gives a list of sites visited, including when and specic URLs Copies of les downloaded from webservers (HTML, javascript, images, etc) MAC 9mes can be used in 9meline analysis

Cookies
Provide addi9onal informa9on about users interac9on with a web site

57

Analyzing Browser History Using IEHistoryView

58

Analyzing Cache Contents Using IECacheView

59

Analyzing HTTP Cookies

60

Flash Cookies
Flash applica9ons are provided client storage through local shared objects (LSOs) Browsers are only recently giving users the ability to delete them Stored outside of the normal cookie/cache storage subsystem
Previously had to nd LSOs within the lesystem and manually delete Private browsing modes DO NOT aect ash cookies!

Analysis leads to informa9on about websites visited, when they were visited, etc.

61

Analyzing Flash Cookies

The loca9on of the les is opera9ng system dependent:
hap://en.wikipedia.org/wiki/ Local_Shared_Object#File_loca9ons

A few tools exist for analysis, but none seem completely stable:
Minerva - hap://blog.coursevector.com/ minerva SOLReader - hap://www.sephiroth.it/python/ solreader.php

62

Using Browser Analysis

Browser analysis revealed many accesses to Gmail as well as informa9on related to the new employer 9tle and other URL informa9on recorded in the history le helped in analysis discussed later

63

END OF HOUR 1: Ques&ons / Comments?

Contact Golden:
golden@cs.uno.edu golden@digdeeply.com @nolaforensix andrew@digdeeply.com @aarc

Contact Andrew:

Digital Forensics Solu9ons:

Daryl Pfeif (CEO) daryl@digdeeply.com 504-874-0787 hap://www.digitalforensicssolu9ons.com hap://dfsforensics.blogspot.com @dfsforensics

Inves&ga&ng Coordinated Data Exltra&on (2nd Hour)

Golden G. Richard III
University of New Orleans and Digital Forensics Solu9ons, LLC &

Andrew Case
Digital Forensics Solu9ons, LLC

65

Inves&ga&ng Files Transferred During the Exltra&on

66

Recap
At this point in the inves9ga9on we have:
Shown that a number of thumb drives were previously aaached to the computer under inves9ga9on That les were sent to an external Gmail address from a company Email address That the target employee had contacted his new employer many months before leaving our client

67

Updated Workow
We now had two goals:
Find out which les were accessed by the user Find out which were then transferred onto USB drives Determine the loca9on of the les sent via Gmail

68

Finding Accessed Files

Windows provides a number of forensics ar9facts related to historical le access Three main ones were used in this inves9ga9on:
LNK Files MRU Lists File Access History

69

LNK File Analysis

70

LNK Files
Link les (.lnk) are Windows shortcut les Similar to symbolic links under Unix The metadata contained in these les is very useful during forensics inves9ga9ons
MAC 9mes of target le Full path to target le Whether target is/was local or on the network Network share informa9on Volume serial number (used to match to specic drive)

71

lnk-parse [10] on a Local File

MAC Times of Target File

Target Hard Drive Target File

72

parse-lnk Output for Network Share

MAC Time of Target File

Size of File

The network share related to the le, including path

73

Using LNK Files

The target computer had a large number of relevant LNK les (Some) LNK les are backed up within System Restore Points! These les were helpful for two purposes:
1. Iden9fying which les were moved to which USB drives 2. Iden9fying which les were downloaded from which network shares
More on this in a minute

74

Automa&ng LNK File Analysis

Since there were so many LNK les, we needed to automate the process Wrote a script to parse lnk-parse output and write contents to an Excel sheet Could then quickly determine which les, network shares, and 9mes were involved in the exltra9on

75

LNK File Research

There a few very good resources on LNK le analysis:
The Meaning of Life [9]
21 page research paper on analysis with LNK les

Forensics Wiki Page [7] Forensics Focus Ar9cle [8]

76

Analyzing MRU Lists

77

Most Recently Used (MRU) Lists

MRU lists store informa9on about the documents most recently accessed by a user for a par9cular applica9on Stored in the Windows Registry
Again, System Restore Points give us access to historical MRU lists as well as current ones

Common examples are when you click File in an applica9ons menu and see a list of previously opened documents

78

Popular MRU Lists

Microsob Oce
For all applica9ons (Word, Excel, PPT, etc)

Internet Explorer
Recently typed URLS (The URL dropdown)

Adobe
Recently accessed PDF les

An extensive list of over 30 MRU loca9ons and associated applica9ons can be found at [12]

79

Using MRU Lists

Gathered the current and historical SOFTWARE registry les Used Regripper to acquire all of the relevant MRU lists
Most important were Oce and Adobe

(Again) we wrote a script to parse output and write to an Excel sheet

80

Analyzing the MRU lists

The combined MRU lists provided lenames and paths to numerous les of interest to the case
Spread out across the local drive, thumb drives, and network shares

A number of these les were also duplicates of those found in the LNK les
Great for correla9on and soundness of ndings

81

More on Browsing History

82

More File Accesses

Web browser history also revealed access to a number of internal web applica9ons that create reports The lename of these reports contained the parameters (date, search, etc) used to create them
This was visible in the URL (GET parameter)

83

Web Applica&on Reports

We then found copies of these reports on the local machine Contained informa9on on other employees that the target user was not ocially authorized to view

84

File Accesses
The browser history les also keep records of access to specic les (le:///)
Including full path name and MAC 9me type informa9on

Analysis of these les on the target machine revealed access to more unauthorized les
Beyond what was found through LNK and MRU analysis

85

Inves&ga&ng Recycle Bin Ac&vity

86

Recycle Bin Forensics

Windows trash can facility for dele9ng les Files maintained in a hidden directory un9l the user emp9es the Recycle Bin, then insecurely deleted The Recycle Bin maintains a history of les deleted within INFO2 les INFO2 les contain:
The fullpath of the deleted le The date the le was moved to the recycle bin The sequence in which les were moved to the recycle bin

A great resource on INFO2 analysis can be found at [14]

87

Analyzing the Recycle Bin

Analysis of INFO2 les found on the target machine revealed that many of the les found through previous analysis had been deleted by the user The 9mestamps of the dele9on were very close to the exltra9on 9mes Very damaging evidence

88

Inves&ga&ng Network Share Access

89

Network Share Access

In many corporate environments, including the one in this case, departments store all informa9on on network shares Employees should technically only have access to specic les, but implemen9ng this properly is painful This makes inves9ga9ng network share access a must in data exltra9on cases

90

Analyzing Network Shares

CurrentControlSet\Services\LanManager\Shares

contains informa9on about network shares on the computer

Again, historical records were also available through restore points Allowed quick mapping of drive names to places on the network

91

Using Network Shares

Aber determining which drive leaers corresponded to which network shares, we gathered the lenames that were accessed We then sent this informa9on to the IT security team
They were able to nd all these les and we subsequently used this informa9on in our report

92

Piecing the Evidence Together

93

Results So Far
At this point we had a wealth of informa9on:
We knew exltra9on occurred over USB devices and Gmail We knew which les were transferred and the 9me/date of transfer for some of them We knew that contact was made with the future employer and exact details

94

Data to Correlate
We had drive leaers, lenames, and access 9mes from our evidence sources Needed to create a 9meline of user ac9vity for each le of interest
File Access File Transfer (if any) File Dele9on (if deleted)

95

Performing the Correla&on

Used access 9mes from LNK les, browser history, etc. to determine when interac9on with a le started Used LNK les related to USB drives to determine when copied Used browser history and Gmail view index to determine when a le was emailed Used INFO2/Recycle Bin to determine if/when a le was deleted

96

Correla&on Results
For many les of interest, we could show that, within a 5 minute 9me period, the le was accessed, exltrated, and then deleted We could also which les were simply viewed and then discarded Made for compelling (and hard to refute) evidence

97

Inves&ga&ng Collusion with Other Employees

98

Next Steps
Our last step was to determine if other employees were involved We requested a list of rst and last names, user logins, and email addresses from IT security for:
Close co-workers of the target Other people who recently leb the company

We used this informa9on as our star9ng point

99

Inves&ga&on Process
We took the informa9on given from IT to build a Scalpel congura9on le as previously described This would (hopefully) nd all informa9on related to these other employees

100

First Clue
Emails were found between the suspect and his secretary, related to the new company We then requested the computer of the secretary Analysis of her computer revealed sharing of USB thumb drives
Based on USB serial numbers and inves9ga9on of USBSTOR in the registries

101

Further Analysis of the Second PC

Similar evidence was found on the secretarys PC as on the ini9al targets
Use of removable media Downloading of unauthorized les from leservers Emailing of les to outside accounts

Also found emails to a third person within the organiza9on

101

102

Analyzing Employee Three

Aber nding emails from secretary to employee three, we requested his computer as well Analysis of this computer revealed sharing of USB drives by all three employees Also revealed contact by employee three to new company

103

Wri&ng a Usable Report

104

Mortal Sins of Repor&ng

Do NOT: Include opinions (especially legal ones)
You werent asked to be a lawyer Will hurt your credibility

Include informa9on you could not verify

Will come up in tes9mony and can hurt your credibility

105

Report Outline
Every report should contain at least these sec9ons:
Execu9ve Summary Evidence Catalogue Findings Sec9ons Conclusion Aaachments

106

Report - Execu&ve Summary

Should contain a high level overview of the case results and be less than one page Purpose is to allow execu9ves to quickly understand the outcome of the inves9ga9on Should answer three ques9ons:
Was data exltrated? If so, were you able to conclude who was responsible for the exltra9on? If so, what data was taken and how much of it?

107

Report - Evidence Catalogue

The rest of the report should be for managers and IT sta who need technical details The evidence catalogue should contain these:
A descrip9on of all evidence analyzed A picture of each piece of evidence Any unique informa9on (serial numbers) Hashes of the data, if applicable How copies of the evidence was acquired

108

Report - Findings Sec&ons

The bulk of the report should be your ndings Should be broken into logical sec9ons
Similar to how this presenta9on owed

Needs to include:
Your exact inves9ga9on methodology A lis9ng of tool(s) used The relevance of each nding to the case

109

Report - Conclusion
The conclusion should be a factual summary of the case
Again - NO opinions

Can include recommenda9ons for further inves9ga9on

For example, our ini9al report recommended acquiring the computer of the secretary

110

Report - Aeachments
All processed data from the case, such as the Excel sheets we men9oned, should be included as aaachments to the report
On digital media (CDs, DVDs, etc.) Or printed, as appropriate

This makes handling the les (prin9ng, searching, etc) much easier for everyone involved

111

Conclusions
Data exltra9on inves9ga9on is a labor- intensive process Requires a wide range of skills on part of the inves9gator
We only inves9gated Windows machines during this case, and s9ll needed a number of tools and skillsets

The resul9ng report must be carefully wriaen

112

END OF HOUR 2: Ques&ons / Comments?

Contact Golden:
golden@cs.uno.edu golden@digdeeply.com @nolaforensix andrew@digdeeply.com @aarc

Contact Andrew:

Digital Forensics Solu9ons:

Daryl Pfeif (CEO) daryl@digdeeply.com 504-874-0787 hap://www.digitalforensicssolu9ons.com hap://dfsforensics.blogspot.com @dfsforensics

113

References (Click Through)

[1] hap://www.digdeeply.com/Scalpel/ [2] hap://dfsforensics.blogspot.com/2011/01/exploring-sleuthkits-new-tskloaddb.html [3] hap://www.forensicswiki.org/wiki/File_Carving [4] hap://www.forensicswiki.org/wiki/USB_History_Viewing [5] haps://blogs.sans.org/computer-forensics/les/2009/08/usb_device_forensics_xp_guide.pdf [6] hap://regripper.wordpress.com/ [7] hap://www.forensicswiki.org/wiki/LNK [8] hap://www.forensicfocus.com/link-le-eviden9ary-value [9] hap://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf [10] hap://sourceforge.net/projects/jafat/les/lnk-parse/ [11] haps://blogs.sans.org/computer-forensics/les/2009/08/usb_device_forensics_vista_win7_guide.pdf [12] hap://www.forensicswiki.org/wiki/List_of_Windows_MRU_Loca9ons [13] hap://www.nirsob.net/u9ls/iehv.html [14] hap://cdnetworks-us-1.dl.sourceforge.net/project/odessa/ODESSA/White%20Papers/Recycler_Bin_Record_Reconstruc9on.pdf [15] hap://www.argen.org/downloads/les/SAEX.zip