Tuesday, October 1, 2013

Daily Blog #100: What was burned to CD from Sunday Funday 9/15/13

Hello Reader,
             Another week and now its time to close out this series on how to solve the 9/15/13 Sunday Funday challenge. Also this is my 100th Daily Blog post! Woo! Only 252 to go! Oh man I should not have typed that out, one blog at a time dave ... one blog at a time. If you haven't already you can download the image this solution is based on here.

So we put a couple different kinds of data ex-filtration as a test to see how many you would actually look for or if you would just find one and declare yourself the winner. I've had many cases where at different times my suspect has copied different types of data to different sources, sometimes up to 4 different sources from the following common list:
  • Webmail (gmail/yahoo)
  • Corporate Mail
  • External Drive (usb/esata/firewire)
  • Cloud Storage (Skydrive/Google drive)
  • Cloud Syncing (dropbox/box)
  • Cloud Backup (Meebo/Carbonite)
  • CD Burning
So as I close out this solution series remember to always be thorough you never should think your suspect had a simple executed plan with only one exit.

On to CD Burning detection.

Easiest way to do this:

Step 1, extract out the TriForce artifacts ($logfile, $mft, $usnjrnl::$j)
Step 2.  Parse them in the ANJP Parser (You have signed up for the beta right?)
Step 3. Look up the MFT record number of the burn directories in the $MFT, I do this within the sqlite DB created by ANJP like the following:

In this screenshot I'm highlighting the record number of the directory where desktop.ini exists which is \users\suspect\appdata\local\microsoft\burn\burn

Step 4. take that record number and search the $logfile for deleted files from it, the deleted hard links originally created from the burn process will be revealed as shown below:

And there you go, Acme.zip was burned to a CDROM.

We can validate this by following the steps in the following white paper from our lab that details what temporary files get created from a successful burn.

That's it! You could have also looked for deleted entries within the $I30 for the burn directory but in an actual case I would look to the $logfile and $usnjrnl to make sure you get the totality of files burned.