Windows Forensics - Exercises
Windows Forensics - Exercises
Windows Forensics
– Exercises
Attention
Big endian or little endian?
UTC or a different time zone? Which?
» Windows NT stores everything as GMT (according to its own time zone
as configured)
Difference of system time to actual time
With the help of the still existing Thumbs.db files, it can still
be shown that the illegal contents have been viewed
With special tools it is possible to extract the thumbnail
images from the Thumbs.db file
Now search through every single system user and identify any
Thumbs.db files
You can restrict yourself to the files found in C:\Documents and
Settings\<username>\My Documents\My Pictures for
each user
Extract each Thumbs.db in the same fashion as described before
vinetto –o thumbs_extracted –H Thumbs.db
» You must be within the folder where the Thumbs.db file is and the
direcotry thumbs_extracted needs to be created before
Now, the tool md5deep allows you to create hashes of these just
extracted images and compare them on the fly to a file of existing
hashes (which are of course the hashes of the illegal image thumbs)
md5deep –m
/cygdrive/c/forensics/classified_images/
thumbs_extracted/hashes.txt –r .thumbs
The output of the md5deep hash comparison is a list of files for which
the hash values match
Note down the users and the images that matched the search
Which users were found to have viewed which illegal images?
Result
TimeGenerated EventID Message
------------------- ------- ----------------------------------------------------
---------------------------------------------------
2011-11-14 11:55:25 1006 Starting logon task.
2011-11-14 11:55:25 1002 Starting interactive setup.
2011-11-14 11:55:25 1004 Starting user task.
2011-11-14 11:55:27 1005 User task exiting. result code = 0x800704c7, message
= The operation was canceled by the user.
2011-11-14 11:55:27 1003 Interactive setup exiting. result code = 0x800704c7,
message = The operation was canceled by the user.
2011-11-14 11:55:27 1007 Logon task exiting. result code = 0x800704c7, messag
e = The operation was canceled by the user.
Statistics:
-----------
Elements processed: 135
Elements output: 6
Execution time: 0.07 seconds
Finally, what we need to know to analyze the logon / logoff events of the
users, are the respective event IDs
(Event type IDs are Windows version specific and considerably changed between XP and Vista. For more information see e.g.:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx)
With the help of the prefetch file, it should now be possible to identify
Was the application in question run recently?
If so, which user’s login times fit the time determined from the prefetch file
best? This is then our suspect user!
The following MAC times contained in a prefetch file are interesting
Dates of file itself
» Created
– When was the application first run?
» Modified
– When was the application run the last time?
» Accessed
Inside the prefetch file there is a “last run” timestamp
(Filetime format)
» When was the application run the last time?
Runs
» How often has the application been called (7-bit)
We use the graphical tool “Windows File Analyzer” to analyze the prefetch files
tored in C:\WINDOWS\Prefetch
C:\forensics\tools\WFA\WFA.exe
» Attention: The timestamps of the file (created, modified, accessed) are given in
UTC and the last run timestamp inside the file is given in local time (UTC+1)!
Now, with the knowledge about the Windows event logs and
the prefetch files, try to identify the user(s) who are likely to
have used the application putty.exe
First, identify when putty.exe was used by analysing the
Windows prefetch files. From the prefetch files we do at least
know when the application was first run and when the
application was last run
The Message column for the events with the IDs 528, 538
and 551 contain a very helpful value “Logon ID”
Logon ID is a number (specified as hex value) that
associates a logon with the respective logoff
» Both share the same logon ID (e.g. “Logon ID: (0x0,0x1D6417)”)
With the knowledge of this logon ID, it is possible to track
down one specific logon session
Search for logon events that occurred before the given
timestamp
Search for logoff events that occurred after the given
timestamp
Associate logons to logoffs with the unique logon ID, where
the logon occurred before the timestamp and the logoff
occurred afterwards
Especially the Message column can be a very rich source of information, by searching through with wildcards (like
queries)
E.g. every logon is associated with a numeric logon-ID which connects both a logon and a logoff and can be queried by like
Statistics:
-----------
Elements processed: 1715
Elements output: 3
Execution time: 0.23 seconds
Find the user(s) who have been logged in while the dongle was plugged in
In Cygwin: /cygdrive/c/forensics/tools $ python
who_was_logged_in.py ‘yyy-mm-dd hh:mm:ss‘
Identify connection data of the dongle (e.g. SSID, IP-Address, …) and map the
dongle to the one listed by usbdeview
When accessing a WLAN, its SSID is stored:
HKLM\Software\Microsoft\WZCSVC\Parameters\Interfaces
» Subkeys look like GUIDs with values for "ActiveSettings", "Static#000?", …
» The values for "#Static000?" contain the SSIDs at offset 0x14
Note down the GUIDs of the interfaces and search for a link between these GUIDs
and the USB device in question (intentified by InstanceID from USBDeview)
» Search in the registry for the “InstanceID” of the USB dongle and match the given GUID
IP address information for this connection (last only):
HKLM\System\ControlSet00?\Services\Tcpip\Parameters\Interfaces
» Look for the same "GUID" key as of the WLAN!
» Dhcp*: Data on DHCP server, assigned address, netmask, default gateway, domain,
nameservers, …
» LeaseObtainedTime/-TerminatesTime: Unix 23 Bit Timestamp
– When the Address was received and what is the definite last time it could have been used (but not:
was used!)
» See: “What are Control Sets”?
– http://support.microsoft.com/kb/100010
We now know
Who used the dongle
When it was used
Basic connection settings, like e.g. the SSID used
What is of interest next is what the user did with the Internet
connection
In case of this Internet connection, a good starting point is to
investigate artifacts left from web browser usage
Every browser has its own way of storing files
» In our scenario we restrict ourselves to the Internet Explorer
» In practice the browser(s) actually used would have to be
identified and then all of them investigated
Michael Sonntag, Christian Praher Windows Forensics 31
Case Study III: WLAN
The Internet Explorer browser stores the 25 most recently manually typed URLs
in the registry
HKCU\Software\Microsoft\InternetExplorer\TypedURLs
We cannot examine this key directly in the regedit.exe tool, because only the
values (=hive) of the currently logged in user is linked in (see next slide)
We need to use a third party tool to analyse this user’s hive “offline”
A powerful open source Perl tool to analyse registry hives offline is “RegRipper”
Extendable framework for adding registry-based forensic analysis as Perl scripts
List available plugins:
» C:\forensics\tools\carvey_tools>rip.exe –l
Run certain analysis against one particular hive
» C:\forensics\tools\carvey_tools>rip.exe –r
“Path\To\Registry\Hive” –p “name of plugin”
Get typed URLs
» rip.exe -r "C:\Documents and
Settings\<username>\NTUSER.DAT" -p typedurls
File locations:
HKLM\SAM %SYSTEMROOT%\System32\config\SAM
HKLM\Security %SYSTEMROOT%\System32\config\SECURITY
HKLM\Software %SYSTEMROOT%\System32\config\software
HKLM\System %SYSTEMROOT%\System32\config\system
HKLM\Hardware Stored in memory only – non on disk!
HKU\.Default %SYSTEMROOT%\System32\config\default
HKU\SID %USERPROFILE%\NTUSER.DAT
HKU\SID_Classes %USERPROFILE%\Local Settings\
Application Data\Microsoft\Windows\UsrClass.dat
With the typed URLs we now know what the user actively
typed into the progress bar of the browser, but we do not
know exactly when this happened
We only know the time the most recent entry was written,
through the write time of the registry key
History
The list of URLs visited (at which time, …)
Provides general information on time and location of activity
» URL's may also contain information: GET requests
– Example: Google searches
Cookies
Which websites were visited when + additional information
May allow determining whether the user was logged in
Can survive much longer than the history
» Depends on the expiry date of the Cookie and the configuration
Cache
The content of the pages visited
» Incomplete: E.g. ad's will rarely be cached (No-cache headers)
Provides the full content of what was seen, e.g. Webmail
» More exactly: What was delivered by the server
Michael Sonntag, Christian Praher Windows Forensics 36
Case Study III: WLAN –
Web-browsing history
Did the user visit the webpage intentionally?
In general: If it's in the cache/history/cookie file: Yes
See also: Bookmarks!
BUT:
What about e.g. pop-ups?
» E.g.: Pornography advertisements!
URL records
Last modified time: When the information was modified on
the web server
» Filetime format; All zero if unknown
Last access time: When the URL was visited
» Filetime format!
URL offset
» URL itself is Null-terminated; no Unicode – ASCII only!
Filename offset
» The name in the cache directory
Cache directory index
» In which cache directory the file is stored (index; 0 = first dir)
HTTP header offset
» The response headers only; not always present
Hit count: How often visited
Michael Sonntag, Christian Praher Windows Forensics 40
Case Study III: WLAN – Internet Explorer:
index.dat structure (3)
REDR records
Flags: Exact meaning unknown
URL offset
» Null-terminated
LEAK records
Structure similar to URL record; purpose unknown
» See above: file couldn't be deleted (open in browser/editor)
Not all records are necessarily present in the hash table
When deleted, sometimes a record remains and only the
hash entry is removed
» "Delete history" Mark as deleted in hashtable
As all records are block-sized (see before), "undelete" is
possible without too many problems!
– A kind of file system within a file !
» Especially as each record starts with the type, and destroyed
records are filled with well-known values (0x0BADF00D)
Michael Sonntag, Christian Praher Windows Forensics 41
Case Study III: WLAN – Pasco
Filename: 302-3061595-9808016[2].htm
Directory: BRNONATM
HTTP headers:
HTTP/1.1 200 OK
Content-Length: 120986
Content-Type: text/html
Other data:
Record length: 3 (=3*128 = 384 bytes = 0x180)
» From 0x035800 to 0x35980
Michael Sonntag, Christian Praher Windows Forensics 43
Case Study IV: Timeline Forensics
Prefetch data
C:\forensics\tools\carvey_tools>pref.exe -d
"C:\WINDOWS\Prefetch" -s localhost -t >>
..\..\tln\tln_raw.txt
C:\forensics\tools\carvey_tools>rip.exe -r
"C:\Documents and Settings\Brian\NTUSER.DAT" -u Brian -
s localhost -p userassist_tln >> ..\..\tln\tln_raw.txt
C:\forensics\tools\carvey_tools>rip.exe -r
"C:\Documents and Settings\Charly\NTUSER.DAT" -u Charly
-s localhost -p userassist_tln >> ..\..\tln\tln_raw.txt
C:\forensics\tools\carvey_tools>rip.exe -r
"C:\Documents and Settings\Doris\NTUSER.DAT" -u Doris -
s localhost -p userassist_tln >> ..\..\tln\tln_raw.txt
C:\forensics\tools\carvey_tools>rip.exe -r
"C:\Documents and Settings\Edgar\NTUSER.DAT" -u Edgar -
s localhost -p userassist_tln >> ..\..\tln\tln_raw.txt