Tuesday, October 8, 2013

Daily Blog #106: Sunday Funday 10/6/13 Winner!

Hello Reader,
         Another Sunday Funday is done and this week Andy Dove emerges victorious! This on its face was a simple contest but with a couple twists.

1. We used IE10 in the browsing which changed how the internet history is recorded from index.dat files to the new ESE DB format. This meant that most forensic suites wouldn't properly decode the traffic as they don't support IE10 yet.
2. I asked you to determine the length of time someone was on a website, this is a trick question. Nothing keeps track of amount time someone is active on a website. You can only tell how often they visited the site and on which days which can you lead you to approximate total time based on the time between visits to a single site in a day.
3. We put some facebook chat in here as the non work chat

The Challenge:
This scenario should remind you of one of your most early cases. HR has come to you and identified an employee who does not seem to spend much time working. They want to know the following to determine if the employee should be disciplined or fired:
1. What non work site have they visited
2. How many times per day do they visit these non work sites
3. Can you determine how long they were spending on non work sites
4. Was there communication to other employees over non work sites

The Winning Answer:
 Andy Dove

A good challenge this weekend David,  I haven't seen many cases running IE10 before.  Particularly on a Windows 8.0 Machine.  Normally I run most of my cases through IEF but as I was running this one at home I was limited to FOSS tools. 
The main tools I have used for this particular challenge are Autopsy, EseDbViewer from Nirsoft.
After opening the image in Autopsy I checked the registry and program files to see which browser(s) had been used. This showed me that no browsers other than IE appeared to be live on the system.  I also noted a deleted copy of CCleaner but no prefetch files or registry entries showing that it had ever been run.
As this is IE10 there were no index.dat files in the suspect's appdata, with the information instead being stored in %appdata/local/microstoft/windows/webcache/webcachev01.dat.  This file is not in the index.dat file but is instead stored as an ESE Database.  Opening the file in EseDbViewer shows several tables named Container_1, Container_2 etc up to Container_16.  The various containers each hold different information visits, cookies, PrivacIE browsing etc.  Looking through these it was easy to see many visits to sites including Facebook and various subdomains of cheezburger.com.
I am not familiar with the structure of these tables as they contain 4 different time stamps but I am working under the assumption that the synctime gives the last access and the accesscount the number of visits to a particular URL.  FaceBook Battle Pirates for example has 42 entries and a further 41 to Google Mail.

Primarily I have focused on containers 1,4 and 9 where I was only able to find entries pertaining to one day 12 Aug 2013 covering a time period from 16:14 to 18:29.  During this time period there were multiple accesses to Gmail and Facebook, including a friends request sent to someone with the email ntglty512@gmail.com sent at 18:25 and many visits to the Battle Pirates game.  There were a significant number of visits to icanhas.cheezburger.com, failblog.cheezburger.com and geek.cheezburger.com.  Finally there were a fewer number of entries corresponding to reddit.com and kixeye.com.
So today I downloaded IEF and ran that against the image.  I obviously have a lot to learn about carving for internet and JSON artifacts as it has recovered much more than I did manually.  Including a Twitter account for BackYardMonster and also references in FB status updates that the suspect also had another account.  It's good to see that the the folks at Magnet are all over IE 10.

Great job Andy! The rest of the week we will be going through this image and showing you how to solve it.