Daily Blog #409: Solution Saturday 6/30/18

Hello Reader,
      Another contest has completed and changing the time frame of the contest seems to have benefited all of us. It benefits the people playing as they get more time to complete their answer, it benefits me as I get to ask more in depth questions and it benefits you the reader as you get even more information!

The Challenge:
ExFAT is documented to have a timezone field to document which timezone a timestamp was populated with. However most tools just see it as FAT and ignore it. For this challenge document for the following operating systems how they populate ExFAT timestamps and which utility will properly show the correct values.

Operating systems:
Windows 7
Windows 10
OSX High Sierre
Ubuntu Linux 16.04 

This weeks' winning answer from Paul Bryant, Senior Lecturer at  Wellington Institute of Technology (WelTec) can be downloaded here as there is no way I can embed this into the post:
https://www.dropbox.com/s/h8omup03bxoblkp/exfat_os_dir_entries.pdf?dl=0

Enjoy and great work Paul!

Tweet

Daily Blog #408: Exploring Extended MAPI Part 15

Hello Reader,
            Another Friday where I'm not able to get a forensic test kitchen done due to my travel and teaching schedule but next week should be better!

Instead lets continue our outlook attachment testing, in the prior post I tested a png file. Let's test an Microsoft Excel document now to see how a file with a metadata structure Outlook would know effects our testing.

First here is the metadata on the file on the disk

Here is the extended mapi properties of the attachment when I sent the message a minute after creating the file.

As you can see the last modification time is being preserved again but the creation time is actually being set to the message creation time as seen in the delivery time below.

I then made sure it wasn't just a rounding issue by sending the same attachment the next day

which shows that the creation time is being sent to the date the message was sent and the modification time of the file is being preserved.


Saving the attachment back to the disk gives the following dates

As we can see the creation time is being set to when the message was sent and the modification time is being reapplied. The Access date appears to be updated but really that's just the real creation time before Microsoft Outlook rolled back the date.

More to come as we test other formats!

Tweet

Daily Blog #407: Exploring Extended MAPI Part 14

Hello reader,
        In yesterdays post I showed how saving an attachment applied the modification date that was stored within the attachment extended mapi properties. I was wondering how from a filesystem perspective you could tell the actual date the file was saved to the disk and as it turns out the filename attribute metadata has the dates the attachment was actually saved to the disk as seen below:

This is a png file, in the upcoming posts I'll be trying other file types to see if Outlook shows any different behaviors.

Tweet

Daily Blog #406: Exploring Extended MAPI Part 13

Hello Reader,
           In my prior post I was looking at the file system metadata stored based on Arman's blog post. In this post I wanted to see if something had changed with how Outlook was assigning creation times on saving a file. In the past I had found that Outlook would look into Word documents and retrieve the dates from the metadata in the document to apply to the file system, and in this post I am looking to see if that has changed.

I haven't tested a regular file before in looking to see what dates got applied and when I saved the attachment to my disk I was surprised to see the following

The creation time was sent to the time the message was received and matched the PR_CREATION_TIME I saw in the prior post. But the Modification time was reapplied from the data that was saved in the attachment extended mapi property! Notice that the Access time is set for today even though access times have been disabled since Windows 10. This because the access time is being set to the actual time of creation and then the other two dates have been rolled back by Outlook.

This is very interesting to me and I plan on testing this with some more file types this week and next.

Tweet

Daily Blog #405: Exploring Extended MAPI Part 12

Hello Reader,
           For today's post I've wanted to share some testing I've been doing of Arman Gungor's research into Extended MAPI data. Arman has agreed to come on the Forensic Lunch next month and talk about his work and this post I'd like to focus on some research he's done on how some file system timestamps are preserved from the sender's system when a file is attached in Outlook.

First you can read Arman's post here:
https://www.meridiandiscovery.com/articles/email-attachment-timestamps-forensics-outlook/

I emailed myself one of the pictures from Saturday's solution post and then examined the Extended MAPI data of the attachment with Outlook spy to see if I could confirm what Arman found.

Here are the file system timestamps on my system for pic10.png:

Looking at the Extended MAPI for the attachment I found the following. For the creation time I have the creation time of the message rather than the file attachment. The time is displayed is in UTC and I'm currently in is UTC +10.

Looking at the Modification time though we do find the correct file system time:

Which +10 hours is 6/24/18 at 6:14PM.

This is fascinating to me as I thought all file system metadata was stripped away when a file was attached. I am going to do more testing with Outlook attachments and the dates applied to see how these changes my prior results.

Tweet

Daily Blog #404: Exploring Extended Mapi Part 11

Hello Reader,
          In this post I want to follow up on an earlier post questioning what was left behind in a forwarded message extended MAPI wise that would allow an examiner to know more about the message. Well it's appropriate that this is Daily Blog 404 because within the extended MAPI i did not find any of the original dates contained in a property.

I still need to decode the conversation index though and I'll be working on that tomorrow as well as putting all of the logic into python code to automate this process.

Tweet

Daily Blog #403: Sunday Funday 6/24/18

Hello Reader,
             Thanks to your great submissions last week I had a really tough time picking a winner. In the end the community as a whole has benefited from your research. You will have a five days to try to complete this challenge now that answers are not due till Friday. Send in your answer as you have it and you are allowed to update your submission if you find new information.

ExFAT has been on my mind lately. Let's talk about documentation, expectation and reality in this weeks file system forensics challenge.


The Prize:
$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 6/29/18 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful 
6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
ExFAT is documented to have a timezone field to document which timezone a timestamp was populated with. However most tools just see it as FAT and ignore it. For this challenge document for the following operating systems how they populate ExFAT timestamps and which utility will properly show the correct values.

Operating systems:
Windows 7
Windows 10
OSX High Sierre
Ubuntu Linux 16.04

Tweet

Daily Blog #402: Solution Saturday 6/23/18

Hello Reader,
             This week was really tough as I got a lot of really good submissions. In the end the winning submission from Phil Moore was selected because much like the other submissions that made it to the final round of consideration he listed which apps he tested that contained Zone.Identifiers and what different data points they contained. But Phil took it one step further and not only tested the application he tested the behavior such as saving different file types in IE or different moods of operation like InPrivate Browsing.  Last Phil added in a bonus OSX artifact to boot.

Here was the challenge:
The Challenge:
Zone.Identifier alternate data streams have been around for awhile please answer the following questions.
1. What version of Windows introduced zone.identifier
2. What data is contained with in a zone.identifier
3. What sets the zone.identifier
4. what conditions causes them to be created
5. What are the limitations of zone.identifier

So here is this week's winning entry from Phil Moore.

1. What version of Windows introduced zone.identifier

Windows Xp sp2

Reference: https://www.forensicswiki.org/wiki/New_Technology_File_System_(NTFS)

http://www.sandersonforensics.com/Files/ZoneIdentifier.pdf

2. What data is contained with in a zone.identifier

“Windows Internet Explorer uses the stream name Zone.Identifier for storage of URL security zones.”
(Reference: https://msdn.microsoft.com/en-us/library/dn392609.aspx)

This relates to data stored in the registry in the Zones key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

(Reference: https://blogs.msdn.microsoft.com/oldnewthing/20131104-00/?p=2753/)

Until recently, the only information located within the ZoneID Alternate Data Stream related to the above settings:

 

In 2017, Twitter user @Ericlaw identified (https://twitter.com/ericlaw/status/903065616055185409) that browsers were putting additional information in the ADS ZoneID.

Independantly of this, I discovered that URLs and program identification information may also be found (Reference: https://thinkdfir.com/2018/06/17/zone-identifier-kmditemwherefroms/)

Other examiners were able to replicate the findings (https://www.dfir.co.za/2018/06/18/highway-to-the-danger-zone-identifier/), as well as identify further information from the “Edge” browser.

Jaco Swanepoel eventually did figure out how to do it. I haven’t been able to replicate the HostIpAddress yet.

What this means is that we can also find the location from which the file originated in some instances, and also infer the browser used to download the file.

3. What sets the zone.identifier

As above, the browser checks the registry (NTUSER.DAT) and acts accordingly.

“URL security zones group URL namespaces according to their respective levels of trust. A URL policy setting for each URL action enforces these levels of trust.” (Reference: https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85) )

The domains that have been stored can be located here:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains and EscDomains.

Adding items to these keys can be done through Internet Options:

The Internet Options can be accessed through Windows Settings or Internet Explorer.

As a test, I added a site to the restricted list and when saving the item, I observed that it had a ZoneID of 4.

Similarly, if I added an item to “Trusted” then it doesn’t get a ZoneID

4. What conditions causes them to be created

“Browsers and other internet clients (e.g. email and chat programs) can participate in the MOTW-marking system by using the IAttachmentExecute interface’s methods or by writing the Alternate Data Stream directly.” (Reference: https://textslashplain.com/tag/security/page/2/)

Forensic Wiki indicates that ZoneID’s were originally set when a file was downloaded using “Internet Explorer, Outlook, and Windows Messenger”.

I performed a majority of my testing on Win10; there’s plenty more to do however.

Task	ZoneID?	ADS Contents
Save picture (IE)	No
Save ZIP (IE)	Yes	ZoneID
Save file (Chrome, Chrome-based browser)	Yes	ZoneID RefererURL HostURL
Save file (Firefox)	Yes	ZoneID
Save file (Edge)	Yes	ZoneID LastWriterPackageFamilyName (Application name)
File saved out of Outlook (o365 desktop)*	Yes	ZoneID
File saved out of Mail “Trusted Microsoft Store” app*	Yes	ZoneID
File saved out of Skype “Trusted Microsoft Store” app	Yes	ZoneID
Skype (Classic) App	Yes	ZoneID
Wget under Windows Subsystem for Linux	No
Powershell	No
FTP.exe (inbuilt)	No
Tor Browser Bundle (Firefox)	Yes	ZoneID
Private Browsing (IE - Zip)	Yes	ZoneID
Private Browsing (Firefox - Zip)	Yes	ZoneID
Private Browsing (Chrome - Zip)	Yes	ZoneID RefererURL HostURL
Private Browsing (IE - Zip	Untested - download kept failing
Save a webpage to the desktop from a link (Chrome)	Yes	ZoneID RefererURL HostURL
Save current page***	No
Telegram (Windows)	No
Sync with Mega	No
Sync with Dropbox	No**
Sync with OneDrive	No

*apparently you can also drag and drop files from emails and these won't be given the zoneID however this wasn’t tested.

** Dropbox does create ADS’s for the files, but not a ZoneID.

*** Indication of originating URL identified in the saved HTML code.

On Windows 7 I observed ZoneIDs from saving files out of webpages, however no additional data was located.

I did not have a Windows 8/8.1 sytsem to test.

Internet Explorer doesn’t always create ZoneIDs, for example saving a picture did not create a ZoneID. All other browsers did however for the same test. As a guess, any file that IE thinks the user needs to be protected from should have a ZoneID.

5. What are the limitations of zone.identifier

“The Alternate Data Stream travels with the file as it’s copied between NTFS disks, but will be lost if the file is ever copied to a FAT file system disk (like many USB keys, CDs, etc) that doesn’t support ADS. If you use Windows Explorer to extract a ZIP file with the MotW ADS, it will be copied to each file extracted from the archive.” (Reference: https://blogs.msdn.microsoft.com/ieinternals/2011/03/23/understanding-local-machine-zone-lockdown/)

Didier Stevens wrote a a post about propagation of ZoneIDs from ISO containers.

For example, if you open an ISO in Win10 and open the file, the file will not identify that it has come from the Internet (and I would guess if you copied it out it would not transfer the ZoneID with it).

(Reference: https://blog.didierstevens.com/2017/07/18/iso-files-with-zone-identifier/).

Addendum:

MacOS NTFS Drives

If you save a file to an NTFS drive using the Tuxera NTFS driver for MacOS you don’t get a ZoneID, but you do get Extended Attributes.

Program Execution:

On win8 if a program is executed and smart screen is displayed, if the user bypasses smartscreen to execute the application then this will replace the ZoneID with “AppZoneId=4”. This is not to be confused with “ZoneID=4” which would mean that the file came from a restricted zone.
I do not have a Win8 system to test this on, and was unable to replicate it on Win10.

This is another execution artefact however.

(Reference: https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/)

Removing ZoneIDs:
If you download an executable from the web you will get a Security Warning. If you deselect the “Always ask before opening this file” then the ZoneID will be removed.

Alternatively, if you go to the properties of the executable and select “Unblock” it will also remove the ZoneID.

Lastly, you can use the streams application (https://docs.microsoft.com/en-us/sysinternals/downloads/streams) by Mark Russinovich to remove ADS’s.

Tweet