@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #148: Sunday Funday 11/17/13 Winner!

Hello Reader,
        Another Sunday Funday come and gone, a new victor arises to claim the prize! This week I put out a challenge that I know we've covered in different aspects here on the blog, CD Burning artifacts, to see what you would come back with. While some of the responses covered what we've talked about here, some of you went beyond and found additional artifacts! This week the 'earliest most complete submission wins' rule came into effect.The winning answer this week from
Martijn Veken was received at 8:34am central time beating the other great submissions by hours.

The Challenge:
     Your client has given you three CDROMs that contain their tradesecrets. They want to determine as much information as possible about the CDs to determine:
1. Which system burned them
2. What software created the CDs
3. When they were burned
4. If there were other CDs burned
5. Which user burned the CDs

The client is a small company with 5 systems of which you've been given access to all of them. Each of the 5 systems runs Windows 7.

The Winning Answer:


Martijn Veken



1. Which system burned them
If you figured out at what time the CD’s were burned (see answer 3), check the system eventlog for event id 133, this indicates that files were burned to CD using Windows Explorer. If so, in the registry under key ”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo”, there are keys indicating where files were staged before they were burned to the CD. You can use file system forensics to investigate what was in the folder to try to match them to the disc. You can also check the timestamp of the registry key to see at what time it was written to search more specifically.

If another tool was used, there are clues on which tool this was on the CD (see step 2). Look for indications in the prefetch, RunMRU and user assist to see if the tool has run on the system. If the tool is or used to be present, look for the temp folders or log files it produces to see if you can match it to the CD.

2. What software created the CDs
If it’s ISO9660, usually the name of the application that has created the CD is in the session start section, somewhere just after 0x8000.

3. When they were burned
If it’s ISO9660, there are a couple of timestamps indicating the time of burn in the session start section. If you have figured out on which system the discs were created, check eventlog to see if there are any events (event id 1) that indicate that the system time was changed prior to burning the disc.

4. If there were other CDs burned
If the CD’s have been burned with Windows explorer, there will be events with id 133 in the eventlog. In the registry key described in step 1 will be entries for staging folders. Examine these forensically to see if there are residues of files there.

Other burning applications also usually have a temp or staging folder for burning CD’s. You can check these folders for residues indicating that files have been burned to a CD.

5. Which user burned the CDs
In most cases, the location of the log or staging files in the users AppData folder will indicate which user created the CD’s.

If not, use the time that the CD was created to check the security event log for audit events that indicate which user was logged on to the system at the time of the creation of the CD’s. To burn a disk, a user usually needs to logon physically to the system, so look for logons of types 2 and 7 prior to burning the disc.

Make some time for next week's Sunday Funday and you too can win a prize worth researching for!
Labels:

Post a Comment

[blogger][disqus][facebook][spotim]

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.