Thursday, October 18, 2018

Daily Blog #511: Forensic Lunch Test Kitchen 10/18/18

Hello Reader,
             Back to the test kitchen tonight! While tonight's broadcast was a later than normal (showed the kids the few episode of the new Doctor Who season) we did have some good testing done. Tonight we tested my theory of what was recoverable from an external drive formatted NTFS in regards to ObjectIDs. The theory being that we could use the existence of ObjectIDs to show that files were interacted with after being copied, which is important since access dates are no longer updated when a file is opened on a NTFS drive since Windows Vista.

Tonight we learned:

  • ObjectID attributes are set on files accessed from external fixed disks
  • The /$Extend/$ObjID:$O Index root is created when a drive is formatted
  • The $ObjID:$O Index allocations are not populated on the external drive when objects are created within the file system
  • The $logfile will create a record storing the ObjectID that was set, when it was set or changed
  • The $UsnJrnl:$J will contain a timestamped record showing when objectids were set allowing an examiner to timeline when the actions took place
  • With the $logfile records you could determine which Mac address opened the files, when the objectid was set and when the file was deleted
  • With the $usnjrnl records you could determine when the objectid was set and when/if the file was deleted
You can watch the video here:

Wednesday, October 17, 2018

Daily Blog #510: Office 2016 Backstage Artifacts

Hello Reader,
         New versions of software often bring new artifacts and Office 2016 is no exception. We were working an investigation when we found directory paths that no longer exist on the disk under a directory called:

 '\Users\\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache\'

Underneath that directory you will find a series of directories for each of storage locations the user could save files for example:

  • My Computer
  • Onedrive Personal
  • Onedrive business
  • Sharepoint


This will match up to the view you will see when you open a file in Microsoft Office from the 'Backstage' view. Backstage is Microsoft's term for the interface where you can load recently accessed documents before picking a document and after loading Microsoft Office program.  Here is an example form my system:



In the above screenshot I started Microsoft Word, selected open other locations from the bottom and then clicked 'This PC'. It defaulted to my documents directory and then switched over to a newly mounted VHD drive.

On entering the directory from this interface I got a file created in the BackstageInAppNavCache\My Computer directory for the D drive that contained the full path, file name and modification date in Windows filetime format for all of the directories and files on my D drive separated between folders and files.

Here is the folder view:

The last element is the filetime timestamp in decimal format, converting it to hex and putting it into Dcode shows the following:

In addition there is a section for files as seen below:

What was interesting to me on the file section is that the GUI is only showing me the word file, but the cache file shows all files in this directory.

On my system this directory goes back a couple years worth of what was in every directory I've viewed while in this open interface.

One difference I have between my machines though is that one has these as text files, while the other is after the most recent Office update creating them as json files.

Go check yours and let me know what you find!

Tuesday, October 16, 2018

Daily Blog #509: ObjectIDs and Domains

Hello Reader,
             Well YouTube was down for awhile tonight and at this point I'll need to get to bed before I could finish a test kitchen broadcast (if it would even work tonight!). So instead I decided to follow up on a question by Dr. Joe Sylve who asked in last nights Test Kitchen if Domain's are present in ObjectIDs if the computer was attached to a domain. To test this I went onto one of my domain connected computers and checked the objectID attributes of a file I've opened many times, our blank contract.



As you can see the DomainID is still all 0's meaning that this field is not currently being used, but you never know what the future will hold!

Monday, October 15, 2018

Daily Blog #508: Forensic Lunch Test Kitchen 10/15/18

Hello Reader,
          Tonight Matt Seyer virtually joined me for another test kitchen! We decided to examine the ObjectID index to determine what is really happening when a file is deleted and its ObjectID index entry is deleted. Matt presented his theory, Dr. Sylve contributed what he knew and the rest was solved with testing, tsk utilities, and python scripts.

Here is what we learned:

  • The ObjectID Index is a B-Tree with pages of entries of ObjectIDs
  • The last ObjectID in a page is the one most likely to survive in the slack space if it is deleted
  • ObjectIDs anywhere else in the page have a high chance of being overwritten when the b-tree is balanced unless they got saved from a previous page swap
  • istat won't give you the full path to a file, but you can get there if you are persistent 
  • The $logfile contains every changed page until its overwritten
We also have some new theories to test tomorrow night regarding USN and $Logfile interaction with the ObjectID Index! We should be testing those tomorrow night.

You can watch the video here:

Sunday, October 14, 2018

Daily Blog #507: Sunday Funday 10/14/18

Hello Reader,
        The weeks have gone by quickly with nightly testing videos and weekly challenges. The schedule works well for me typically as weekend nights I have less time to do testing as I'm spending more time with my family. Let's see how you'll be spending your week with this weeks challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 10/19/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
What artifacts of execution exist on a Windows Server 2008+ that do not exist on Windows 7+? In other words name any forensic artifacts that would show a program executed on a windows server os that you wouldn't find on a windows desktop os!

Saturday, October 13, 2018

Daily Blog #506: Solution Saturday 10/13/18

Hello Reader,
          This week no qualifying submissions, as a reminder this was the challenge:

The Challenge:
The TypedPaths key as we have seen recreates the key each time File Explorer exits. What other artifacts could we use to replace the data that we would have found there?

I'll have to address the answer in a blog post in the future, until then stay tuned for next week's challenge. 

Friday, October 12, 2018

Daily Blog #505: Forensic Lunch Test Kitchen 10/12/18

Hello Reader,
            A shorter test kitchen tonight, mainly because the answer came much quicker than I expected but only in part. Tonight we deleted files from the command line and the GUI to see what effect deleting them would have on the ObjectID Index found at /$Extend/$ObjID:$O. I used the updated $O parser from Matt Seyer found here: https://github.com/forensicmatt/WinObjectIdParser

Here is what we learned:

  • Deleting a file from the command line causes the ObjectID Index to delete the file entry
  • Deleting a file from the GUI causes the ObjectID Index to delete the file entry
  • That the deletion appears to clean and too quick, leading me to suspect that there is more going on here
On Monday I expect to resume this line of questioning with a hex editor (likely 010) and some offset tracking as we look to solve the mystery of the deleted ObjectID records. 

You can watch the video here: