@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #99: Sunday Funday 9/29/13 Winner!

Hello Reader,
        Another challenge has found a victor! Congratulations to Steve M who provided this weeks best answer and really did a good job going into depth.  Next week get ready for a full forensic image challenge and read what Steve M has to say today and next year when it appears in print in Hacking Exposed: Computer Forensic 3rd Edition!

The Challenge:
Your suspect has a Windows XP system and you evidence from the User Assist records that he ran CCleaner a month ago, but the count shows it has been run multiple times before. Write out what your methodology would be to determine:

  • If system cleaning took place
  • If wiping took place
  • What is now missing

The Winning Answer:
From Steve M
The UserAssist key on the suspected system indicates CCleaner was run one month ago, but the count indicates it has been run more than once.  Here is how I would answer the questions outlined in the contest:

1) If system cleaning took place

System Cleaning, by default, will remove files from  several locations including browser specific Temporary Internet Files, Cookies, and histories.  The date of last execution specified in the UserAssist registry key can be considered a checkpoint, for which we can investigate if the system activity only appears to happen after the date.  For example, if the suspect system only has cookies being created after the date CCleaner was last run, it would serve as a strong indicator that system cleaning took place.

To determine the options enabled when CCleaner was last run, I would look at "HKCU\Software\Piriform\CCleaner" for the user who last used the software.  Each option has a registry key that enables/disables the checkbox in the GUI, and would be a good indicator of what options were run the last time the application was used.  It is completely possible the suspect modified the settings for the last run or enabled/disabled settings without actually performing a clean, so these should not be considered hard evidence.

To determine if the user had run system cleaning based on disk contents, I would look for the presence (and contents) of the following files:

Internet Explorer:
C:\Documents and Settings\\Local Settings\Temporary Internet Files\Content.IE5\index.dat & subdirectories
C:\Documents and Settings\\Cookies
C:\Documents and Settings\\Local Settings\History\History.IE5

Chrome:
C:\Documents and Settings\\Local Settings\Application Data\Google\Chrome\User Data\

FireFox:
C:\Documents and Settings\\Local Settings\Application Data\Mozilla\Firefox\Profiles\\cookies.sqlite
C:\Documents and Settings\\Local Settings\Application Data\Mozilla\Firefox\Profiles\\downloads.sqlite
C:\Documents and Settings\\Local Settings\Application Data\Mozilla\Firefox\Profiles\\places.sqlite
C:\Documents and Settings\\Local Settings\Application Data\Mozilla\Firefox\Profiles\\search.sqlite

These artifacts can be investigated using commercial products (Internet Evidence Finder, ChromeAnalysis Plus, Encase) or free tools (Redline, Galleta, Pasco).  Presence only of files created after the CCleaner execution date would indicate the system cleaning took place.  Lack of files or directories would warrant further investigation to determine if the system is commonly used for web browsing.

Additionally, by default CCleaner will clear certain Windows logs as well.  Specifically, logs in C:\Windows\system32\wbem\logs can be inspected to see the earliest entries.  If the earliest entries all appear after the last execution time of CCleaner, it is likely these logs were wiped via the system cleaning process as well.

2) If wiping took place

CCleaner offers a free space wiping utility as well, which will identify all unallocated clusters and fill them with "0"'s (nulls).  To identify this has been performed, a low level disk analysis tool can be used (Encase, dd, etc).  Specifically, viewing the a hex dump of the contents of any unallocated clusters will show them as containing null characters instead of miscellaneous undeleted data.  While some of the wiped clusters may now have data from activity after the running of the CCleaner tool, it is unlikely the majority of them will given today's large capacity disks.  Therefore, viewing several unallocated clusters at random should give a good indication if they have been zero'd out or not.

Additionally, CCleaner appears to store the settings used upon last execution in "HKCU\Software\Piriform\CCleaner", so the investigator could extract the suspect user's registry hive and search for "(App)Wipe Free Space" to see if the checkbox is checked or not (it is "False" by default, meaning "wipe free space" is disabled).  Also, the investigator could potentially launch the CCleaner.exe executable on a mirror copy of the drive as the user who last executed it and determine if "Wipe Free Space" was checked (it is not by default).  This would provide good confidence if the data agreed, but itself would not be substantial to say that wiping had been performed since you don't need to complete the action for the preference to persist.

3) What is now missing

Assuming CCleaner was run to perform system cleaning and wipe free space on the sole physical disk drive, important artifcacts regarding browsing history, system restore points, and deleted but not overwritten files may now be unrecoverable.  Therefore, it may be much more dificult for an investigator to find the information they are looking for (as per the product's intentions).  However, some of these artifacts may be recovered by examining the system's pagefile (stored in memory during the execution of CCleaner, then flushed to disk), slack space on the disk (not overwritten by "wipe free space"), off-device backups to either a network storage device or external media, and proxy solutions which are typically deployed in an enterprise.  The analysis will be harder, but not necessarily impossible.
Labels:

Post a Comment

[blogger][disqus][facebook][spotim]

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.