Thursday, September 26, 2013

Daily Blog #95: Webmail artifacts from Sunday Funday 9/15/13

Hello Reader,
         Tomorrow we have a pretty great Forensic Lunch coming together with Harlan Carvey, Zoltan Szabo and us in the lab talking about forensics, you can RSVP here for it. Today we are going to look at what remnants are left from the uploading and attachment of files from the Sunday Funday 9/15/13 image. We will finish this series of how-to next week with the CD Burning detection.

If you haven't already done so, you can download the forensic image that we have been working off of.

 This bit of analysis was probably the most surprising to me because of the lack of what I found.  I normally can fire IEF at an image and recover messages viewed and some attachments, but in this case our suspect image was pretty efficient and within the image we can't find any direct reference to the attachment of files.

Instead our best evidence of uploading via Gmail comes from the LastActive Internet Explorer session cache. Located in the path \users\suspect\appdata\local\microsoft\internet explorer\recovery\last active is a file with the name {6140DFAE-14EE-11E3-B113-080027F68913}.dat that is not a valid index.dat formatted file. This file is a 'Travel Log' and contains a number of appended OLE streams that contain what sites were visited so a crashed session could be restored in the future.


Contained within these steams are evidence of open tabs that show emails being composed as well as the name of the Gmail account being accessed:
https://mail.google.com/mail/u/0/?shva=1 ï¾ #compose\TCompose Mail - ntglty512@gmail.com - Gmail
 There are multiple compose tabs recorded but other than the JavaScript necessary to attach a file no artifacts recording a successful attachment.

In this case our suspect composed a new message on Gmail, attached a file and sent it but never viewed the message he received.  What we can see is the Inbox counter of unread messages increase in the Window title after our suspect has sent themselves a message

https://mail.google.com/mail/u/0/?shva=1 ï¾ #inbox\NInbox (2) - ntglty512@gmail.com - Gmail
 But no proof of what they sent.

We will be experimenting in the lab to determine what condition needs to occur for the inbox and attachment confirmations to be swapped to the pagefile as well as what images are requested when an attachment is uploaded in the hopes of firming up this analysis. Until then, those are the facts as we see them!

Did you find something else? Let me know in the comments and lets all learn from each other!