@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #106: Sunday Funday 10/6/13 Winner!

Hello Reader,
         Another Sunday Funday is done and this week Andy Dove emerges victorious! This on its face was a simple contest but with a couple twists.

1. We used IE10 in the browsing which changed how the internet history is recorded from index.dat files to the new ESE DB format. This meant that most forensic suites wouldn't properly decode the traffic as they don't support IE10 yet.
2. I asked you to determine the length of time someone was on a website, this is a trick question. Nothing keeps track of amount time someone is active on a website. You can only tell how often they visited the site and on which days which can you lead you to approximate total time based on the time between visits to a single site in a day.
3. We put some facebook chat in here as the non work chat

The Challenge:
This scenario should remind you of one of your most early cases. HR has come to you and identified an employee who does not seem to spend much time working. They want to know the following to determine if the employee should be disciplined or fired:
1. What non work site have they visited
2. How many times per day do they visit these non work sites
3. Can you determine how long they were spending on non work sites
4. Was there communication to other employees over non work sites

The Winning Answer:
 Andy Dove


A good challenge this weekend David,  I haven't seen many cases running IE10 before.  Particularly on a Windows 8.0 Machine.  Normally I run most of my cases through IEF but as I was running this one at home I was limited to FOSS tools. 
The main tools I have used for this particular challenge are Autopsy, EseDbViewer from Nirsoft.
After opening the image in Autopsy I checked the registry and program files to see which browser(s) had been used. This showed me that no browsers other than IE appeared to be live on the system.  I also noted a deleted copy of CCleaner but no prefetch files or registry entries showing that it had ever been run.
As this is IE10 there were no index.dat files in the suspect's appdata, with the information instead being stored in %appdata/local/microstoft/windows/webcache/webcachev01.dat.  This file is not in the index.dat file but is instead stored as an ESE Database.  Opening the file in EseDbViewer shows several tables named Container_1, Container_2 etc up to Container_16.  The various containers each hold different information visits, cookies, PrivacIE browsing etc.  Looking through these it was easy to see many visits to sites including Facebook and various subdomains of cheezburger.com.
I am not familiar with the structure of these tables as they contain 4 different time stamps but I am working under the assumption that the synctime gives the last access and the accesscount the number of visits to a particular URL.  FaceBook Battle Pirates for example has 42 entries and a further 41 to Google Mail.

Primarily I have focused on containers 1,4 and 9 where I was only able to find entries pertaining to one day 12 Aug 2013 covering a time period from 16:14 to 18:29.  During this time period there were multiple accesses to Gmail and Facebook, including a friends request sent to someone with the email ntglty512@gmail.com sent at 18:25 and many visits to the Battle Pirates game.  There were a significant number of visits to icanhas.cheezburger.com, failblog.cheezburger.com and geek.cheezburger.com.  Finally there were a fewer number of entries corresponding to reddit.com and kixeye.com.
So today I downloaded IEF and ran that against the image.  I obviously have a lot to learn about carving for internet and JSON artifacts as it has recovered much more than I did manually.  Including a Twitter account for BackYardMonster and also references in FB status updates that the suspect also had another account.  It's good to see that the the folks at Magnet are all over IE 10.

Great job Andy! The rest of the week we will be going through this image and showing you how to solve it.
Labels:

Post a Comment

[blogger][disqus][facebook][spotim]

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.