January 2011

@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Hello again Reader,

I've actually put an appointment on my calendar now to remind me to blog, let's see if reminders will ensure regular posts.This is a short beginning for part 1 to insure I meet these weekly updates.

Many times when you are working an investigation the question of spoliation will come up. In the most obvious scenarios of spoliation a suspect will use a tool that will to some extent wipe out his tracks. These tools come in three flavors:

1. Whole disk wipers: It's fairly obvious when this happens, though some suspects may tell you it's just encrypted. If they say that ask them what program they used to encrypt it and to please hand over the key.

2. File/directory wipers: If someone were to run a program such as bcwipe or eraser to delete files or directories the first thing these programs do is rename the file to prevent you from recovering what file was deleted. So if your suspect wiped 1,000 files you would find 1,000 randomly named files all seeming modified within seconds of each other on the disk from a different date. After renaming the file, it sets the time and after overwriting the contents of the file it sets the size to 0.

Here is a ftk imager view of a directory named temp with some random new files made:

Here is the same directory in ftk imager a second after wiping:

"How long these file stick around seems to vary by the file system. In older cases I found them months after the fact but on my Windows 7 system that I'm running ftk imager doing a view of my local physical drive some random files disappear in a couple seconds, which accounts for why we don't see 7 random files. " *This isn't exactly true, please see the update below* This wipe was done using bcwipe, the behavior of what wipers leave behind and how it runs on each OS and file system sounds like a good post for me to work on.

In part 2 we will go into system cleaners like CCleaner and some research into what they leave behind.

Update:

Looks like my disappearing wiped files are not a product of a different version of windows or the file system, it was the windows write cache. I made a couple of new files before and just wiped them immediately after, looks like they didn't actually get committed to the disk before I wiped them and thus would not be around afterwords.


To test this I downloaded a random set of source code from sourceforge, extracted it to a directory and then rebooted to make sure everything was flushed.


After rebooting I wiped seven files from a directory in the source tree and got seven wiped entries as expected:

As you can see, seven randomly named files all again with the date of 4/30/1986 and the time 11:43am. I guess this goes back to my last post, if something seems wrong double check your assumptions.

When I wipe the entire directory tree it then appears as an orphaned directory with all of the directory names and file names changed again to random letters with the same date as we saw before, except for the directories which remain the correct date (these times are in UTC so the date appears as 1/20/11):

Hola Readers,
Every image is a special snowflake in regards to what software you find installed. There are times though when an investigator, myself included, gets comfortable as to what to expect and what they believe their tools are already doing for them. I had such an occasion last month when I found an image where the user was using Google Chrome as their browser. The case this was for is now settled and there was no public disclosure of my involvement in any form of declaration/affidavit/report so I will not be identifying the parties.

I was the second person to review the image at the time and we were looking to recover communications between our suspect and other parties around the time of his departure from his then current employer. What was suspiciously absent in our first round of reviews was a lack of web activity being reported from our standard tools. When this happens three things come to my mind for sanity checking:

1. When did the user profile I am looking at get created?
If this is a new system and I got handed it a couple days after the suspect started using it maybe what I'm seeing is correct. In this case, no the system had been in use for at least a year.

2. Is there any indications of popular 'cleaning' or wiping software being used?
Running through the user assist records, lnk files to no longer existent sources or other artifact sources that no longer show data after a consistent date are all signs of this. I will write another blog post about detecting what/when something was cleaned. In this case everything else was in place as it should be.

3. What other programs are installed? Am I missing something?
A quick look through the program files folder and user assist should be done at this point, is there something being used here that you hadn't dealt with previously. The user in this case had IE and firefox installed on his system so I didn't think to check for yet another web browser.


So I took a look through the keyword hits coming from his personal email address and noticed for the first time that they were contained within Chrome SQL Lite databases. Prior to this point I had not extracted the history files for a Chrome user and began a round of google searches to determine how to proceed.

While Google Chrome does make use of SQL Lite databases, basically flat files that contain a database structure that can be used like a relational database without the overhead, I didn't want to manual string together queries. I found two pages that helped me reach the evidence I needed.

The first located on the SANS blog provided me the information I needed regarding the structure of where the files should exist and what files I was most interested in. If I was looking to use log2timeline I could have stopped there, but I already have a license of NetAnalysis so I went to their site next.

Luckily for me in version 1.52 was announced in my inbox on 12/11/10 and now included Google Chrome support. So utilizing the information from the SANS blog I exported it to NetAnalysis for parsing and came up with all of the webmail usage I was expecting.

So the next time you don't find what you are expecting try my three steps and see if there is something you are missing.

If you know of a tool that supports Google Chrome histories besides log2timeline and NetAnalysis please comment or email with it.

Hello Readers,
Since I last so optimistically posted that I would resume blogging in 2010 I had no idea what the first year of a child's life meant for a new parent. I am making a commitment in 2011 to begin regularly posting again and I hope you will believe me and choose to follow along.

In 2010 news I did speak at HTCIA 2010 in Atlanta this year on forensic cases studies from some of G-C's greatest civil cases.

In 2011 news I will be speaking at CEIC 2011 http://www.ceicconference.com on outlook web access forensic analysis. I've been asked to make it a lab so if you are going to CEIC I hope you sign up and learn about what I've learned about OWA analysis in 2010 as it relates to Exchange 2003/2007/2010.

I plan to try to speak more often in 2011 so if your conference is looking for a speaker let me know.

In civil expert witness news I am very happy to join the chorus of other legal commentators to praise the change in the federal rules of civil procedure for expert disclosures. The rule took effect December 1, 2010.

You can read more about it here and here but the jist of it is that emails and drafts of documents exchanged between lawyers and experts is no longer discoverable unless it contains information regarding compensation or information that leads to an opinion. This will make mine my life considerably easier and I hope yours as well.

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.