CNS 320 Week5 Lecture
Transcript of CNS 320 Week5 Lecture
-
7/28/2019 CNS 320 Week5 Lecture
1/65
1
CNS 320 COMPUTER FORENSICS &INCIDENT RESPONSE
Week 5 Lecture
Copyright 2012, John McCash. This work may be copied, modified, displayed anddistributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nc/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/ -
7/28/2019 CNS 320 Week5 Lecture
2/65
Quiz 1 Review
1. Four types of NTFS TimeStamp
2. Attribute holding standard NTFStimestamps
3. Long/short filename MFT records
4. File Slack
5. Registry Key Structure
6. Spoliation
7. NTFS MFT
8. NTFS Folder Information Attributes
9. Chain of Custody 2
-
7/28/2019 CNS 320 Week5 Lecture
3/65
Quiz 1 Review (#1 88%)
1. Four types of NTFS TimeStamp (in orderas they appear in MFT attributes) MACB Born/Created
Modified: Last written time of the files dataattribute
Changed: Last written time of the Files MFTentry (ownership or permission changedoesnt change the Changed time)
Accessed
Key Info: Remember the names
Remember the difference between Modified &Changed
-
7/28/2019 CNS 320 Week5 Lecture
4/65
Quiz 1 Review (#2 60%)
2. Which NTFS Attribute stores thetimestamps that are used by mostWindows APIs?
Standard Information Attribute
Other places NTFS timestamps arestored
Filename Attributes (Long and 8.3)
INDEX_ROOT & INDEX_ALLOCATIONAttributes for parent folder
Include copies of Filename Attributes
-
7/28/2019 CNS 320 Week5 Lecture
5/65
Quiz 1 Review (#3 23%)
3 File Timestamp locations in MFT entry
Most important takeaway from my firstforensics class, as well as my favorite
interview questionBurn the next slide into your brains
(except for the actual namespace
identifiers)Please dont get this question wrong on
the final
-
7/28/2019 CNS 320 Week5 Lecture
6/65
Quiz 1 Review
3 File Timestamp locations in MFT entry One set of four in the Std Info Attribute
One set in each of the Filename attributes
Files that have names fitting within thelegacy 8.3 (8 character name, 3 characterextension) specification have only oneFilename attribute (Namespace 3 Win32/DOS)
Files with longer name or ext have a long(Namespace 1 - Win32) Filename attribute,plus an additional 8.3 (Namespace 2 - DOS)Filename attribute is automaticallygenerated
-
7/28/2019 CNS 320 Week5 Lecture
7/65
File Slack: (#4 30%)I think I see where I went wrong here
Can anybody explain to me the difference between aCluster and a Sector?
Both are minimum supported allocation unit sizes Sector is for the physical device (as seen by the OS)
Cluster is for the filesystem
Its possible for both to be the same size
Clusters are typically several times (exact multiple)the size of a sector
-
7/28/2019 CNS 320 Week5 Lecture
8/65
Quiz 1 Review
4. What is File Slack? (definition shouldspecifically include RAM Slack) Use anexample on the back if you need to clarify.
The answer, Any remaining sectors in the lastcluster of a file following the RAM Slack.does not include RAM Slack.
Answer should have been something like:
All unused space in the last cluster of the file,including the RAM Slack, which is unused space in
the last occupied sector
-
7/28/2019 CNS 320 Week5 Lecture
9/65
Quiz 1 Review
4. File Slack
Space after the end of the file data in the lastcluster allocated to the file
Space between the logical and physical end of file
Term is sometimes used inconsistently WRT theinclusion of RAM slack
RAM Slack
Space between the end of file data in the last
occupied sector, and the end of that sector If file uses the last sector in the cluster, this is the
same as file slack
Called RAM slack because old versions of Win95populated it with random data from memory
-
7/28/2019 CNS 320 Week5 Lecture
10/65
4. File Slack Diagram
Sector
Cluster
3 Clusters Allocated
Occupied Sector
File Slack Sector RAM Slack
10
-
7/28/2019 CNS 320 Week5 Lecture
11/65
Quiz 1 Review ($5 20%)
5. Registry Structures
Maybe people didnt realize what Iwas asking here. Its really abouthow to recognize Registry Keys andValues from context, and what you
can extract from them
-
7/28/2019 CNS 320 Week5 Lecture
12/65
Quiz 1 Review
5. Registry Structures
Key nk signature, Contains aWindows FILETIME timestamp
Value vk signature, no timestamp,but may appear shortly after its parent
nk structure
-
7/28/2019 CNS 320 Week5 Lecture
13/65
Quiz 1 Review (#6 57%)
6. Spoliation - The destruction or significant alteration ofevidence, or the failure to preserve property foranothers use as evidence in pending or reasonablyforeseeable litigation
A party claiming Spoliation must demonstrate: The party having control of the evidence had an
obligation to preserve it at the time it was destroyed
The evidence was destroyed with a culpable state ofmind
The destroyed evidence was relevant to the partysclaim or defense such that reasonable trier of factcould find that it would support that claim or defense
-
7/28/2019 CNS 320 Week5 Lecture
14/65
Quiz 1 Review (#7,8 87%,13%)
7/8 NTFS
Terminology & important attributes
-
7/28/2019 CNS 320 Week5 Lecture
15/65
Quiz 1 Review
7/8 NTFS/MFT Everything in NTFS is a File MFT Structure (every file has an MFT entry) File Attributes, particularly:
Standard Information Attribute (contains primary
file timestamps) Filename Attribute (there may be two of these, and
each contains redundant set of timestamps) Data Attribute (for resident files [very small], data is
contained in the MFT entry itself) Data attributes after the first are referred to as Alternate
Data Streams Index_Root_Attribute (directories/folders, resident) Index_Allocation Attribute (directories/folders,
nonresident) B-Tree Contains complete File_Name Attributes,
including redundant timestamps
-
7/28/2019 CNS 320 Week5 Lecture
16/65
Quiz 1 Review (#9 80%)
9. Evidence tracking &documentation process: Chain ofCustody
-
7/28/2019 CNS 320 Week5 Lecture
17/65
Muicache Correction:Key moved in Win7
XP NTUSER.DAT Hive
HKU\*\Software\Microsoft\Windows\ShellNoRoam\MUICache
Win7 UserClass.Dat Hive HKU\*\Software\Classes\Local
Settings\Software\Microsoft\Windows\Shell\MUICache
Another location to check to see if anexecutable has been run
Doesnt list run time17
-
7/28/2019 CNS 320 Week5 Lecture
18/65
New Material for This Week Thumbnails Email Forensics
Intro to Incident Response
Malicious Code Incident Handling
Link/Shortcut Files
Windows 7 Jump Lists
Prefetch
-
7/28/2019 CNS 320 Week5 Lecture
19/65
Thumbnails
Mechanism for creating and storingthumbnail images of pictures & firstpages of documents for use infolder previews
Pre-Vista: Thumbs.db
Vista+: Thumbcache
-
7/28/2019 CNS 320 Week5 Lecture
20/65
Pre-Vista: Thumbs.db
Populated in any folder which has been at onetime set to show thumbnails of includedimages & documents
Hidden file, not viewed by most users and notcleaned out when files are removed from thefolder
Uses OLE compound document format (similar
to Office 2K3 and previous) to store: thumbnail picture of original image or first page of
document
last modification time
original filename
-
7/28/2019 CNS 320 Week5 Lecture
21/65
Thumbs.db Analysis
Binary format is a mess. Sector based,devised in the days of floppy disks.
Free Tool: Mitec Windows File Analyzer Another one: Vinetto (open source
python script also does Vistathumbcache)
Format is also parsed directly byEnCase and FTK
-
7/28/2019 CNS 320 Week5 Lecture
22/65
Vista+: Thumbcache
Single, centrally stored file for each user Thumbcache_32.db (small) Thumbcache_96.db (medium) Thumbcache_256.db (large) Thumbcache_1024.db (extra large) Thumbcache_idx.db Thumbcache_sr.db
Located in\AppData\Local\Microsoft\Windows\Explorer
All created when a folder is switched to thumbnail
mode or views pictures in a slideshow Even stores thumbnails for pictures/docs/media on
removable media, network shares, or encryptedcontainers
Numbered files store actual images, linking to files isdone by idx file.
Purpose of sr file not yet determined
-
7/28/2019 CNS 320 Week5 Lecture
23/65
Email Forensics
In Transit: Simple Mail TransportProtocol (SMTP)
At Rest (various storage formats)
PST/OST (Outlook)
DBX (Outlook Express)
EML/FOL (Windows Mail)
MSF/no ext (Thunderbird) MBX/TOC (Eudora)
Others
Calendar & Contact data
-
7/28/2019 CNS 320 Week5 Lecture
24/65
Telnet SMTP Spoofing Example
[srchost]# telnet localhost 25Trying 127.0.0.1 Connected to srchost.com. 220 srchost.com ESMTP Sendmail helo250 OKmail from: spoofedsrc@supposedly_from.com
250 spoofedsrc@supposedly_from.com Sender okrcpt to: [email protected] [email protected].. Recipient okdata354This is a spoofed message.
250 RAA Message accepted for deliveryquit221 srchost.com closing connectionConnection closed by foreign host
-
7/28/2019 CNS 320 Week5 Lecture
25/65
Example Email Headers
Return-Path: X-Original-To: [email protected]: [email protected]: from sandiego.cs.toronto.edu (sandiego.cs [128.100.3.228])
by hermes.cs.toronto.edu (Postfix) with SMTP id 299162A575for ; Mon, 20 Nov 2006 14:14:56 -0500
(EST)Received: from yonge.cs.toronto.edu ([128.100.1.8]) by
sandiego.cs.toronto.edu with SMTP id ; Mon,20 Nov 2006 14:14:48 -0500
Received: from tomts5.bellnexxia.net ([209.226.175.25],HELO=tomts5-srv.bellnexxia.net) by yonge.cs.toronto.edu with SMTP id; Mon, 20 Nov 2006 13:54:16 -0500
Received: from chass ([64.228.109.187]) by tomts5-srv.bellnexxia.net(InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with SMTPid for ; Mon, 20 Nov 2006 13:54:13 -0500
Message-ID: From: "kathy Gruspier" To: "G. Scott Graham"
-
7/28/2019 CNS 320 Week5 Lecture
26/65
Useful Headers
Received One added by each SMTP server in the
forwarding chain
Message-ID Added by originating SMTP server Unique_identifier@originating_server
X-Originating-IP Optional, added by originating MTA Should match earliest Received header
X-Mailer Optional Added by creating email client
-
7/28/2019 CNS 320 Week5 Lecture
27/65
Attachments
SMTP only allows text
Enter Multimedia Internet Mail
Extensions (MIME) Message Segmentation
Base64 encoded attachments in theirown segments
-
7/28/2019 CNS 320 Week5 Lecture
28/65
Outlook
OST Local cache file Sometimes gets corrupted and is deleted, so you may find
old ones As its typically very large, its not as likely to be
overwritten soon as most other files Can be converted to a PST file by some tools (at the cost
of losing unallocated space inside it) Search directly using MS Compressible Encryption
(EnCase)
PST Personal Mail Archive Similar format to OST Stored by default in
\Local Settings\ApplicationData\Microsoft\Outlook (XP & Prior)
\AppData\Local\Microsoft\Outlook (Vista+)
-
7/28/2019 CNS 320 Week5 Lecture
29/65
Outlook Express
Shipped with Windows Prior to Vista Files *.DBX & folder.DBX stored in
\Local Settings\ApplicationData\Identities\\Microsoft\Outloo
k Express Last compaction data indicated by
cleanup.log file in the same folder Deleted messages not actually removed
until compaction Deleted DBX files will likely appear in
unallocated space, as they are copiedbefore compacting
-
7/28/2019 CNS 320 Week5 Lecture
30/65
Current Windows Mail
Installed in Vista+
Files *.EML & *.FOL stored in\AppData\Local\Microsoft\Windo
ws Mail Deleted mail (individual EML files) moved
to Deleted Items under this folder. Notcleared by default.
Users can manuallly delete, or can set anoption to periodically clear deleted itemsfolder.
-
7/28/2019 CNS 320 Week5 Lecture
31/65
Thunderbird
Files (no extension) & *.MSF storedin \ApplicationData\Thunderbird\Profiles\.default\Mail\ Compaction is only done manually
by default
After compaction, email fragmentsare typically still present inunallocated space
-
7/28/2019 CNS 320 Week5 Lecture
32/65
Eudora
Files *.MBX & *.TOC stored in\ApplicationData\Qualcomm\Eudora
Settings stored in eudora.ini Attachments are stored in a
separate Attach subfolder
Message deletion results in markingmessages deleted, but notoverwriting unless compacted
-
7/28/2019 CNS 320 Week5 Lecture
33/65
Other Email Clients
Many use the same file extensions
Examine installed applications for
other email clients Look in associated Program Folders
or similar folder under user profile.
Use keyword searches to find email
Look for exported email
.TXT, .HTM, .EML, .MSG, etc.
-
7/28/2019 CNS 320 Week5 Lecture
34/65
Appointments & Contacts
Calendar data .ICS, .SDB (SQLite), .PST
Address Books .WAB (binary), .VCF (text), .PAB
(binary), .MAB, .NNT (text)
Tasks .SDB (SQLite), .PST
SQLite data can be examined directlyusing the SQLite Database Browser
-
7/28/2019 CNS 320 Week5 Lecture
35/65
Incident Response: What not to do
1. Panic
2. Reimage the affected systems
3. Downplay everything you can
4. Paper over the holes
5. Fire somebody
6. Blame consultants for everything
else7. Lather, Rinse, Repeat
-
7/28/2019 CNS 320 Week5 Lecture
36/65
Incident Response
The six phases of the standard IRmodel
1. Preparation (most important)
2. Identification
3. Containment
4. Eradication
5. Recovery6. Follow-Up (also most important)
-
7/28/2019 CNS 320 Week5 Lecture
37/65
If you havent prepared
Its going to cost you1. Remain calm. Panic begets panic.2. Document events thoroughly so that new
participants can be brought up to speed
quickly, and for future reference3. Notify the right people. If you cant figure
out who the right people are, start up thechain of command, and branch outthrough whatever security group youre
aware of.4. Restrict knowledge of the incident to
those who need to know. This includesthe management chain, security, andanyone involved with responding to the
incident.
-
7/28/2019 CNS 320 Week5 Lecture
38/65
If you havent prepared
5. Dont use communications infrastructurethat may be compromised.
6.
Contain the problem. Remove systemsfrom the network quickly unlessnecessary to identify furthercompromise
7. Forensically image affected systems asquickly as practical for later analysis
8. Clean up affected systems. If able to
identify initial deficiencies, correct them
-
7/28/2019 CNS 320 Week5 Lecture
39/65
If you havent prepared
9. Restore systems from backup(after ensuring the backups areclean). Monitor systems closely fora few weeks to ensure theyre notcompromised again
10. Learn from this experience, and
implement a formal set of IncidentResponse practices
-
7/28/2019 CNS 320 Week5 Lecture
40/65
Preparation
Proactive Incident Prevention & ResponseFacilitation Techniques includesdeployment of detection infrastructure
Create a formal written incident responseplan
Select IR team members and organize theteam
Develop an emergency communications plan Provide easy reporting facilities for events
that may trigger incident response
Train IR team members
-
7/28/2019 CNS 320 Week5 Lecture
41/65
Preparation
Establish guidelines for cooperationfrom other groups that may be requiredto contribute
Ensure smooth two-way communicationwith IT administrators
Develop interfaces to Law Enforcement
and other CIRTs
-
7/28/2019 CNS 320 Week5 Lecture
42/65
Identification
Assign one person responsibility for theincident central point of contact fortracking & coordination
Determine whether reported activity isactually an incident
Maintain careful chain of custody ifthere is expectation that lawenforcement may be involved
Coordinate with ISP and/or Networkinggroup
Notify appropriate officials
-
7/28/2019 CNS 320 Week5 Lecture
43/65
Containment
Deploy on-site team to survey thesituation
Keep a low profile Avoid, where possible, running potentially
compromised code Forensically image affected systems Determine the risk of continuing
operations while responding
Keep system owners informed, but dontdiscuss blame Change passwords
-
7/28/2019 CNS 320 Week5 Lecture
44/65
Eradication
Determine cause and symptoms
Improve defenses harden systems& networks
Vulnerability analysis
Remove the original cause of theintrusion
Locate the most recent cleanbackups for affected systems
-
7/28/2019 CNS 320 Week5 Lecture
45/65
Recovery
Restore the systems
Validate the systems
Fully inform system owners & allowthem to decide when to returnsystems to service
Monitor the systems for recurrence
or simila activity
-
7/28/2019 CNS 320 Week5 Lecture
46/65
Follow-Up
Develop a follow-up report
Reporting is a priority as soon as incident isclosed
Report should be compiled by the peoplewho were actually involved on-site
All affected parties should review reportdraft
Reach consensus or document disagreement
Conduct a lessons-learned meeting toidentify changes which may mitigate similarincidents in the future
-
7/28/2019 CNS 320 Week5 Lecture
47/65
Follow-Up
Create executive summary formanagement: cost, impact,recommended changes to follow
Send recommended changes tomanagement: prioritized, costs,proposed schedule, & impact of
implementing or ignoring Implement approved changes
-
7/28/2019 CNS 320 Week5 Lecture
48/65
Malicious Code Incidents
AV Software 80% effective for non-targeted
Encourage users to report anomalous behavior
Monitor for abnormal outgoing traffic (Iveheard good things about Extrusion Detection:Security Monitoring for Internal Intrusions byRichard Bejtlich sadly, not on the librarysite)
Use a standardized OS image & install process,and do not allow users Admin rights
Develop contacts in the malware analysiscommunity
Commercial sandboxes can aid with analysis
-
7/28/2019 CNS 320 Week5 Lecture
49/65
Link/Shortcut Files (.LNK)
Whenever a file (local or remote) isopened using Explorer, a shortcutfile is created:
\Recent (XP)
\AppData\Roaming\Microsoft\Windows\Recent (Vista/7)
\AppData\Roaming\Microsoft\Office\Recent (Vista/7)
-
7/28/2019 CNS 320 Week5 Lecture
50/65
Shortcut file contents
Begins with magic value 4C 00 00 00 (L NULL NULL NULL)
Four byte file length at offset 34h (easy to carve)
Timestamps from original file when shortcut last accessed
Size from original file when shortcut last accessed
Volume Info: Name, Type (HD, Removable, Remote, CD),Serial#
Network Share Name, if any
Long & short filename
Original File Path
FileLocation (ObjectID [contains MAC address]+VolumeID) Two different ones if file has been moved between 2 NTFS
volumes
Other misc data see whitepapers
-
7/28/2019 CNS 320 Week5 Lecture
51/65
Shortcut Analysis
MiTeC Windows File Analyzer
lslnk.pl from Windows ForensicAnalysis DVD Toolkit 2E by HarlanCarvey
lnk-parse.pl by Jake Cunningham
-
7/28/2019 CNS 320 Week5 Lecture
52/65
Windows 7 Jump Lists
Replaced the old Quick Launch toolbar fromXP
Allows user to pin a program to the taskbarfor similar functionality
Actual implementation substantially morecomplicated, similar to & used like the old MyRecent Documents shortcuts.
Recent Items in the Win7 start menu goes to a
folder that contains both shortcuts and Jump Lists
Applications can define custom right-clickoptions for their Jump Lists
-
7/28/2019 CNS 320 Week5 Lecture
53/65
Windows 7 Jump Lists
Another way to note opening orcreation of files
Records file access for specific
applications Lists can contain up to several
hundred items, though only a feware shown
Another way to identify previousexistence of deleted or wiped files
-
7/28/2019 CNS 320 Week5 Lecture
54/65
Windows 7 Jump Lists
Two Types
Automated Created by the application only
\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
Custom Created by tracking users habits, similarto the Userassist start menu
\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
If an application is registered as a handler fora file type (not necessarily the default handlerfor that type), then items of that type canappear in its jump list.
-
7/28/2019 CNS 320 Week5 Lecture
55/65
Windows 7 Jump Lists
Jump Lists are linked to unique AppIDs.For common applications, these areassigned by the developer. For others
they are generated based on the processname.
Different command arguments for thesame application can result in a different
AppID
-
7/28/2019 CNS 320 Week5 Lecture
56/65
Custom Destinations
File name is .customDestinations-ms
Create time is first execution of application
Modification time is last time application
opened a file File contains an embedded .LNK file which can
be carved out (LNK header is\x4c\x00\x00\x00\x01\x14\x02, file size is 4bytes at offset 34h), and analyzed
Other contained information is custom perapplication
-
7/28/2019 CNS 320 Week5 Lecture
57/65
Automatic Destinations
File name is.automaticDestinations-ms
Create time is first execution of
application Modification time is last time application
opened a file
Contained data is stored usingStructured Storage Format, and can beparsed using MiTeCs StructuredStorage Viewer
-
7/28/2019 CNS 320 Week5 Lecture
58/65
Windows 7 Jump Lists
Frequently, applications will haveboth Automatic and Custom jumplists
-
7/28/2019 CNS 320 Week5 Lecture
59/65
Viewing Automatic Destinations inStructured Storage Viewer
Streams stored numerically fromearliest (usually 1) to the most recent
To recover the link, simply right-click
on the stream and save as a .LNK file Examine extracted link files using the
MiTeC Windows File Analyzer
Expect there to be overlapping datafrom the registry, link files, and jumplists. If theres none, you should usuallythink about why.
-
7/28/2019 CNS 320 Week5 Lecture
60/65
Windows 7 Jump Lists
Brief demo of examining anAutomatic jump list usingStructured Storage Viewer
Brief demo of examining exported.LNK file with MiTeC Windows FileAnalyzer
-
7/28/2019 CNS 320 Week5 Lecture
61/65
Prefetch/Superfetch Files (.pf)
Used to increase performance bypreloading code pages for commonlyused applications
Referred to as superfetch in Vista/Win7 Found in %Windir%\Prefetch
-.pf
Prefetch not cleaned out when exe isremoved
Up to 128 of them can exist at a time
-
7/28/2019 CNS 320 Week5 Lecture
62/65
Data in .pf file
File Signature (beginning of file) XP \x11\x00\x00\x00\x53\x43\x43\x41 (.SCCA)
Vista/7 \x17\x00\x00\x00\x53\x43\x43\x41 (.SCCA)
Contains paths of all files & folders accessed by
the program in the first 10 seconds Create time indicates when executable was first
run
Mod date & internal FILETIME indicate last time
Run Count Volume path & serial # for all files referenced
Prefetch\Layout.ini contains path information
File Size: 4-byte quantity at offset 0x000c
-
7/28/2019 CNS 320 Week5 Lecture
63/65
Prefetch Analysis
Prefetch Parser (for both XP &Vista) by Mark McKinnon of RedWolf Computer Forensics
prefetch.pl, vista_pref.pl fromWindows Forensic Analysis DVDToolkit 2E by Harlan Carvey
EnCase EnScript by Yogesh Khatriof 43llc
-
7/28/2019 CNS 320 Week5 Lecture
64/65
Reading for next week
Chapter 7 (Timeline Analysis) in theCarvey book Next weeks lecture will cover
Timelining Keyword Searching & Result Analysis
Using Autopsy (SIFT Kit)
-
7/28/2019 CNS 320 Week5 Lecture
65/65
Questions?