Академический Документы
Профессиональный Документы
Культура Документы
Andrew
Case
Digital
Forensics
Solu9ons,
LLC
Pioneering curriculum in digital forensics and reverse engineering Digital forensics research: new tools and techniques Educa9on: Crea9ng a strong local tech workforce Liaison with local, state, federal law enforcement to solve dicult cases
Digital
Forensics?
(Benevolently)
prey
on
mechanisms
designed
with
performance
(not
privacy)
in
mind
Crea9ve
uses
of
data
intended
mostly
for
other
things
Correla9on
of
simplis9c
data
sources
to
create
richer
context
In
some
cases:
logs,
etc.
actually
meant
to
be
used
for
forensic
purposes
Agenda
Introduc9on
to
Data
Exltra9on
Issues
Overview
of
our
Recent
Case
How
to
Inves9gate
Exltra9on
Wri9ng
a
Proper
Case
Report
Conclusion
[Some brief background on various digital forensics issues and techniques as we goplease feel free to ask ques&ons to clarify anything that isnt clear]
10
Consequences
of
Exltra&on
Consequences
can
be
severe
Immediate
eect:
Loss
of
intellectual
property
and
other
sensi9ve
informa9on
Expensive
incident
response
process
must
begin
Possible
requirements
for
disclosure
to
be
made
and
compensa9on
of
aected
par9es
11
Our Scenario
12
Preliminary
Informa&on
A
former
employee
of
a
nancial
ins9tu9on
(our
client)
was
suspected
of
stealing
sensi9ve
informa9on
and
using
it
to
bring
business
to
his
new
employer
We
were
to
inves9gate:
1. 2. 3. 4. Was
data
stolen?
If
so,
how?
What
data
was
taken
If
other
people
were
involved
in
the
incident
13
Data/Equipment
to
Inves&gate
We
were
given
the
suspected
users
laptop
The
users
Blackberry
was
remote
wiped
upon
his
leaving
the
company
as
per-policy
No
backups
made
before
wiping
Never
got
access
to
this
informa9on
We
were
supposed
to
receive
a
copy
of
the
users
archived
Outlook
email
(PST
le)
This
was
never
provided
14
Inves&ga&on
15
Ini&al
Analysis
Imaged
hard
drive
of
laptop
The
suspects
laptop
was
running
XP
SP2
Internet
Explorer
only
browser
installed
The
user
was
not
a
local
administrator
The
machine
had
over
20
System
Restore
Points
We
will
be
discussing
the
importance
of
this
throughout
16
Good source for historical copies of the Windows registry In our case, System Restore Points allowed orderly examina9on of data over ve months old
17
Inves&ga&on
Flow
Inves9gate
Removable
Media
Determine
which
removable
media
was
used,
which
les
were
moved,
when
they
moved,
and
to
where
18
19
First
Steps
USB
history
analysis
typically
requires
analyzing
two
sources:
USBSTOR
registry
informa9on
The
setupapi.log
le
Renamed
and
split
under
Win7:
setupapi.app.log
and
setupapi.dev.log
20
21
Windows
Registry
Can
be
a
forensics
goldmine
Lots
of
informa9on,
fairly
dicult
to
clean
Usernames
Internet
history
Program
installa9on
informa9on
Recently
accessed
les
Devices
(USB,
et
al)
Network
congura9on
22
Registry:
Windows
9x
On
Windows
95/98:
system.dat
and
user.dat
les
If
mul9ple
users,
look
in
\Windows\proles\<acct>
for
individual
user.dat
les
system.dat
System-wide
informa9on
Careful, because on Windows 9x, new user proles are oben based on previously created proles!
23
Registry:
NT/Win2K/XP
ntuser.dat
List
of
most
recently
used
les
Each
user
has
a
separate
ntuser.dat
le
\documents
and
sesngs\user
Ini9al
system
sesngs
security
sobware system
24
25
**
VERY
IMPORTANT
**
Select
key
chooses
which
control
set
is
current,
which
is
last
known
good
congura9on
SYSTEM
le
Copyright
2004-2011
by
Golden
G.
Richard
III.
26
SAM le
27
SYSTEM
le
Copyright
2004-2011
by
Golden
G.
Richard
III.
28
NTUSER.dat le
29
NTUSER.dat le
30
SOFTWARE
le
Which
programs
are
installed
on
the
machine?
Which
license
keys
are
in
use?
31
NTUSER.dat le
32
SOFTWARE le
33
Two
Jumpdrive
Elite
thumbdrives
750GB
USB
hard
drives
(same
type)
What
has
been
plugged
in?
SYSTEM
le
Copyright
2004-2011
by
Golden
G.
Richard
III.
34
Networking info
SYSTEM le
35
Disk info
SYSTEM
le
Copyright
2004-2011
by
Golden
G.
Richard
III.
36
37
USBSTOR
The
SYSTEM
registry
hive
contains
a
history
of
connected
USB
devices
Registry
les
backed
up
by
System
Restore
Point
facility
The only 9mestamp informa9on available is last wriaen 9me for key corresponding to par9cular USB device!
38
Used Regripper [6] USBSTOR plugin to enumerate previously aaached USB devices Then wrote a wrapper script to dump this informa9on into Excel Now we had informa9on on connected USB devices going back many months
Eight
USB
drives
were
used
during
the
target
9me
range
Six
were
thumb
drives
with
capacity
ranging
from
2
to
8GB
One
USB
device
was
the
previously
men9oned
users
Blackberry
smartphone
Last
was
a
digital
camera
39
Next step was to determine the extent of use for the six thumb drives
40
Analyzing
setupapi.log
Text
le
in
c:\Windows
(under
XP)
Tracks
device
installa9on,
service-pack
installa9on,
hoZix
installa9on,
etc.
for
the
setup
applica9on
Reveals
the
rst
9me
each
device
was
plugged
in,
as
Windows
selects
appropriate
device
drivers
USBSTOR
registry
key
tells
us
the
last
9me
a
device
was
connected
We
used
SetupAPI
Extractor
[15]
to
analyze
the
le
rather
than
simply
viewing
it
as
a
text
le
41
42
43
44
45
46
Inves&ga&ng
Gmail
Two
pieces
of
evidence
were
discovered
from
Gmail:
A
number
of
le
exltra9on
instances
Evidence
of
contact
between
suspect
and
new
employer
well
before
our
client
suspected
47
48
Scalpel
Overview
File
carving
is
typically
used
to
recover
deleted
les,
based
on
the
structure
of
le
types
Scalpel
is
a
le
carver
[3],
but
can
also
be
used
as
a
very
ecient
indexer
for
specic
search
terms
Latest
version
is
mul9threaded
and
can
use
GPUs
(CUDA)
for
high
performance
opera9on
The audit le created by Scalpel (audit.txt) contains loca9ons of every discovered instance of every search term
49
Using
Scalpel
We
ran
Scalpel
to
nd
all
instances
of
the
new
employers
email
domain
We
then
used
the
Sleuthkit
to
quickly
map
these
osets
to
les
within
the
lesystem
See
[2]
for
an
updated
method
on
how
to
do
this
Produced hits in both web cache les and pagele.sys, the Windows swap le
50
pagele.sys
Analysis
Hits
in
pagele
are
on
previously
viewed
Gmail
Inbox
indices
(illustrated
on
the
next
slide)
These
indices
contain
a
number
of
useful
ar9facts
about
email
messages:
Time
received
Message
fragment
Sender
Aaachment
names
(if
any)
51
The image above is a screenshot of the Inbox view The default view shows 50 messages We were able to recover a number of instances of these using Scalpel on the pagele
52
53
54
Gmail
Aeachments
Aber
discovering
aaachment
names
in
the
fragments,
we
used
this
data
to
discover
which
les
were
transferred
Analysis
revealed
a
number
of
les
were
emailed
from
the
users
local
Outlook
installa9on
to
his
Gmail
account
Filenames
were
matched
to
those
in
LNK
les
and
MRU
lists
(discussed
later)
55
56
History Cache
Gives a list of sites visited, including when and specic URLs Copies of les downloaded from webservers (HTML, javascript, images, etc) MAC 9mes can be used in 9meline analysis
Cookies
Provide
addi9onal
informa9on
about
users
interac9on
with
a
web
site
57
58
59
60
Flash
Cookies
Flash
applica9ons
are
provided
client
storage
through
local
shared
objects
(LSOs)
Browsers
are
only
recently
giving
users
the
ability
to
delete
them
Stored
outside
of
the
normal
cookie/cache
storage
subsystem
Previously
had
to
nd
LSOs
within
the
lesystem
and
manually
delete
Private
browsing
modes
DO
NOT
aect
ash
cookies!
Analysis leads to informa9on about websites visited, when they were visited, etc.
61
A
few
tools
exist
for
analysis,
but
none
seem
completely
stable:
Minerva
-
hap://blog.coursevector.com/ minerva
SOLReader
-
hap://www.sephiroth.it/python/ solreader.php
62
63
Contact Andrew:
Andrew
Case
Digital
Forensics
Solu9ons,
LLC
65
66
Recap
At
this
point
in
the
inves9ga9on
we
have:
Shown
that
a
number
of
thumb
drives
were
previously
aaached
to
the
computer
under
inves9ga9on
That
les
were
sent
to
an
external
Gmail
address
from
a
company
Email
address
That
the
target
employee
had
contacted
his
new
employer
many
months
before
leaving
our
client
67
Updated
Workow
We
now
had
two
goals:
Find
out
which
les
were
accessed
by
the
user
Find
out
which
were
then
transferred
onto
USB
drives
Determine
the
loca9on
of
the
les
sent
via
Gmail
68
69
70
LNK
Files
Link
les
(.lnk)
are
Windows
shortcut
les
Similar
to
symbolic
links
under
Unix
The
metadata
contained
in
these
les
is
very
useful
during
forensics
inves9ga9ons
MAC
9mes
of
target
le
Full
path
to
target
le
Whether
target
is/was
local
or
on
the
network
Network
share
informa9on
Volume
serial
number
(used
to
match
to
specic
drive)
71
72
Size of File
73
74
75
76
77
Common examples are when you click File in an applica9ons menu and see a list of previously opened documents
78
Internet
Explorer
Recently
typed
URLS
(The
URL
dropdown)
Adobe
Recently
accessed
PDF
les
An extensive list of over 30 MRU loca9ons and associated applica9ons can be found at [12]
79
80
A
number
of
these
les
were
also
duplicates
of
those
found
in
the
LNK
les
Great
for
correla9on
and
soundness
of
ndings
81
82
83
84
File
Accesses
The
browser
history
les
also
keep
records
of
access
to
specic
les
(le:///)
Including
full
path
name
and
MAC
9me
type
informa9on
Analysis
of
these
les
on
the
target
machine
revealed
access
to
more
unauthorized
les
Beyond
what
was
found
through
LNK
and
MRU
analysis
85
86
87
88
89
90
91
92
93
Results
So
Far
At
this
point
we
had
a
wealth
of
informa9on:
We
knew
exltra9on
occurred
over
USB
devices
and
Gmail
We
knew
which
les
were
transferred
and
the
9me/date
of
transfer
for
some
of
them
We
knew
that
contact
was
made
with
the
future
employer
and
exact
details
94
Data
to
Correlate
We
had
drive
leaers,
lenames,
and
access
9mes
from
our
evidence
sources
Needed
to
create
a
9meline
of
user
ac9vity
for
each
le
of
interest
File
Access
File
Transfer
(if
any)
File
Dele9on
(if
deleted)
95
96
Correla&on
Results
For
many
les
of
interest,
we
could
show
that,
within
a
5
minute
9me
period,
the
le
was
accessed,
exltrated,
and
then
deleted
We
could
also
which
les
were
simply
viewed
and
then
discarded
Made
for
compelling
(and
hard
to
refute)
evidence
97
98
Next
Steps
Our
last
step
was
to
determine
if
other
employees
were
involved
We
requested
a
list
of
rst
and
last
names,
user
logins,
and
email
addresses
from
IT
security
for:
Close
co-workers
of
the
target
Other
people
who
recently
leb
the
company
99
Inves&ga&on
Process
We
took
the
informa9on
given
from
IT
to
build
a
Scalpel
congura9on
le
as
previously
described
This
would
(hopefully)
nd
all
informa9on
related
to
these
other
employees
100
First
Clue
Emails
were
found
between
the
suspect
and
his
secretary,
related
to
the
new
company
We
then
requested
the
computer
of
the
secretary
Analysis
of
her
computer
revealed
sharing
of
USB
thumb
drives
Based
on
USB
serial
numbers
and
inves9ga9on
of
USBSTOR
in
the
registries
101
102
103
104
105
Report
Outline
Every
report
should
contain
at
least
these
sec9ons:
Execu9ve
Summary
Evidence
Catalogue
Findings
Sec9ons
Conclusion
Aaachments
106
107
108
Needs
to
include:
Your
exact
inves9ga9on
methodology
A
lis9ng
of
tool(s)
used
The
relevance
of
each
nding
to
the
case
109
Report
-
Conclusion
The
conclusion
should
be
a
factual
summary
of
the
case
Again
-
NO
opinions
110
Report
-
Aeachments
All
processed
data
from
the
case,
such
as
the
Excel
sheets
we
men9oned,
should
be
included
as
aaachments
to
the
report
On
digital
media
(CDs,
DVDs,
etc.)
Or
printed,
as
appropriate
This makes handling the les (prin9ng, searching, etc) much easier for everyone involved
111
Conclusions
Data
exltra9on
inves9ga9on
is
a
labor- intensive
process
Requires
a
wide
range
of
skills
on
part
of
the
inves9gator
We
only
inves9gated
Windows
machines
during
this
case,
and
s9ll
needed
a
number
of
tools
and
skillsets
112
Contact Andrew:
113