CNS 320 Week5 Lecture

7/28/2019 CNS 320 Week5 Lecture

1/65

1

CNS 320 COMPUTER FORENSICS &INCIDENT RESPONSE

Week 5 Lecture

Copyright 2012, John McCash. This work may be copied, modified, displayed anddistributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nc/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/


2/65

Quiz 1 Review

1. Four types of NTFS TimeStamp

2. Attribute holding standard NTFStimestamps

3. Long/short filename MFT records

4. File Slack

5. Registry Key Structure

6. Spoliation

7. NTFS MFT

8. NTFS Folder Information Attributes

9. Chain of Custody 2


3/65

Quiz 1 Review (#1 88%)

1. Four types of NTFS TimeStamp (in orderas they appear in MFT attributes) MACB Born/Created

Modified: Last written time of the files dataattribute

Changed: Last written time of the Files MFTentry (ownership or permission changedoesnt change the Changed time)

Accessed

Key Info: Remember the names

Remember the difference between Modified &Changed


4/65


2. Which NTFS Attribute stores thetimestamps that are used by mostWindows APIs?

Standard Information Attribute

Other places NTFS timestamps arestored

Filename Attributes (Long and 8.3)

INDEX_ROOT & INDEX_ALLOCATIONAttributes for parent folder

Include copies of Filename Attributes


5/65


3 File Timestamp locations in MFT entry

Most important takeaway from my firstforensics class, as well as my favorite

interview questionBurn the next slide into your brains

(except for the actual namespace

identifiers)Please dont get this question wrong on

the final


6/65

Quiz 1 Review

3 File Timestamp locations in MFT entry One set of four in the Std Info Attribute

One set in each of the Filename attributes

Files that have names fitting within thelegacy 8.3 (8 character name, 3 characterextension) specification have only oneFilename attribute (Namespace 3 Win32/DOS)

Files with longer name or ext have a long(Namespace 1 - Win32) Filename attribute,plus an additional 8.3 (Namespace 2 - DOS)Filename attribute is automaticallygenerated


7/65

File Slack: (#4 30%)I think I see where I went wrong here

Can anybody explain to me the difference between aCluster and a Sector?

Both are minimum supported allocation unit sizes Sector is for the physical device (as seen by the OS)

Cluster is for the filesystem

Its possible for both to be the same size

Clusters are typically several times (exact multiple)the size of a sector


8/65

Quiz 1 Review

4. What is File Slack? (definition shouldspecifically include RAM Slack) Use anexample on the back if you need to clarify.

The answer, Any remaining sectors in the lastcluster of a file following the RAM Slack.does not include RAM Slack.

Answer should have been something like:

All unused space in the last cluster of the file,including the RAM Slack, which is unused space in

the last occupied sector


9/65

Quiz 1 Review

4. File Slack

Space after the end of the file data in the lastcluster allocated to the file

Space between the logical and physical end of file

Term is sometimes used inconsistently WRT theinclusion of RAM slack

RAM Slack

Space between the end of file data in the last

occupied sector, and the end of that sector If file uses the last sector in the cluster, this is the

same as file slack

Called RAM slack because old versions of Win95populated it with random data from memory


10/65

4. File Slack Diagram

Sector

Cluster

3 Clusters Allocated

Occupied Sector

File Slack Sector RAM Slack

10


11/65

Quiz 1 Review ($5 20%)

5. Registry Structures

Maybe people didnt realize what Iwas asking here. Its really abouthow to recognize Registry Keys andValues from context, and what you

can extract from them


12/65

Quiz 1 Review

5. Registry Structures

Key nk signature, Contains aWindows FILETIME timestamp

Value vk signature, no timestamp,but may appear shortly after its parent

nk structure


13/65


6. Spoliation - The destruction or significant alteration ofevidence, or the failure to preserve property foranothers use as evidence in pending or reasonablyforeseeable litigation

A party claiming Spoliation must demonstrate: The party having control of the evidence had an

obligation to preserve it at the time it was destroyed

The evidence was destroyed with a culpable state ofmind

The destroyed evidence was relevant to the partysclaim or defense such that reasonable trier of factcould find that it would support that claim or defense


14/65

Quiz 1 Review (#7,8 87%,13%)

7/8 NTFS

Terminology & important attributes


15/65

Quiz 1 Review

7/8 NTFS/MFT Everything in NTFS is a File MFT Structure (every file has an MFT entry) File Attributes, particularly:

Standard Information Attribute (contains primary

file timestamps) Filename Attribute (there may be two of these, and

each contains redundant set of timestamps) Data Attribute (for resident files [very small], data is

contained in the MFT entry itself) Data attributes after the first are referred to as Alternate

Data Streams Index_Root_Attribute (directories/folders, resident) Index_Allocation Attribute (directories/folders,

nonresident) B-Tree Contains complete File_Name Attributes,

including redundant timestamps


16/65


9. Evidence tracking &documentation process: Chain ofCustody


17/65

Muicache Correction:Key moved in Win7

XP NTUSER.DAT Hive

HKU\*\Software\Microsoft\Windows\ShellNoRoam\MUICache

Win7 UserClass.Dat Hive HKU\*\Software\Classes\Local

Settings\Software\Microsoft\Windows\Shell\MUICache

Another location to check to see if anexecutable has been run

Doesnt list run time17


18/65

New Material for This Week Thumbnails Email Forensics

Intro to Incident Response

Malicious Code Incident Handling

Link/Shortcut Files

Windows 7 Jump Lists

Prefetch


19/65

Thumbnails

Mechanism for creating and storingthumbnail images of pictures & firstpages of documents for use infolder previews

Pre-Vista: Thumbs.db

Vista+: Thumbcache


20/65

Pre-Vista: Thumbs.db

Populated in any folder which has been at onetime set to show thumbnails of includedimages & documents

Hidden file, not viewed by most users and notcleaned out when files are removed from thefolder

Uses OLE compound document format (similar

to Office 2K3 and previous) to store: thumbnail picture of original image or first page of

document

last modification time

original filename


21/65

Thumbs.db Analysis

Binary format is a mess. Sector based,devised in the days of floppy disks.

Free Tool: Mitec Windows File Analyzer Another one: Vinetto (open source

python script also does Vistathumbcache)

Format is also parsed directly byEnCase and FTK


22/65

Vista+: Thumbcache

Single, centrally stored file for each user Thumbcache_32.db (small) Thumbcache_96.db (medium) Thumbcache_256.db (large) Thumbcache_1024.db (extra large) Thumbcache_idx.db Thumbcache_sr.db

Located in\AppData\Local\Microsoft\Windows\Explorer

All created when a folder is switched to thumbnail

mode or views pictures in a slideshow Even stores thumbnails for pictures/docs/media on

removable media, network shares, or encryptedcontainers

Numbered files store actual images, linking to files isdone by idx file.

Purpose of sr file not yet determined


23/65

Email Forensics

In Transit: Simple Mail TransportProtocol (SMTP)

At Rest (various storage formats)

PST/OST (Outlook)

DBX (Outlook Express)

EML/FOL (Windows Mail)

MSF/no ext (Thunderbird) MBX/TOC (Eudora)

Others

Calendar & Contact data


24/65

Telnet SMTP Spoofing Example

[srchost]# telnet localhost 25Trying 127.0.0.1 Connected to srchost.com. 220 srchost.com ESMTP Sendmail helo250 OKmail from: spoofedsrc@supposedly_from.com

250 spoofedsrc@supposedly_from.com Sender okrcpt to: [email protected] [email protected].. Recipient okdata354This is a spoofed message.

250 RAA Message accepted for deliveryquit221 srchost.com closing connectionConnection closed by foreign host


25/65

Example Email Headers

Return-Path: X-Original-To: [email protected]: [email protected]: from sandiego.cs.toronto.edu (sandiego.cs [128.100.3.228])

by hermes.cs.toronto.edu (Postfix) with SMTP id 299162A575for ; Mon, 20 Nov 2006 14:14:56 -0500

(EST)Received: from yonge.cs.toronto.edu ([128.100.1.8]) by

sandiego.cs.toronto.edu with SMTP id ; Mon,20 Nov 2006 14:14:48 -0500

Received: from tomts5.bellnexxia.net ([209.226.175.25],HELO=tomts5-srv.bellnexxia.net) by yonge.cs.toronto.edu with SMTP id; Mon, 20 Nov 2006 13:54:16 -0500

Received: from chass ([64.228.109.187]) by tomts5-srv.bellnexxia.net(InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with SMTPid for ; Mon, 20 Nov 2006 13:54:13 -0500

Message-ID: From: "kathy Gruspier" To: "G. Scott Graham"


26/65

Useful Headers

Received One added by each SMTP server in the

forwarding chain

Message-ID Added by originating SMTP server Unique_identifier@originating_server

X-Originating-IP Optional, added by originating MTA Should match earliest Received header

X-Mailer Optional Added by creating email client


27/65

Attachments

SMTP only allows text

Enter Multimedia Internet Mail

Extensions (MIME) Message Segmentation

Base64 encoded attachments in theirown segments


28/65

Outlook

OST Local cache file Sometimes gets corrupted and is deleted, so you may find

old ones As its typically very large, its not as likely to be

overwritten soon as most other files Can be converted to a PST file by some tools (at the cost

of losing unallocated space inside it) Search directly using MS Compressible Encryption

(EnCase)

PST Personal Mail Archive Similar format to OST Stored by default in

\Local Settings\ApplicationData\Microsoft\Outlook (XP & Prior)

\AppData\Local\Microsoft\Outlook (Vista+)


29/65

Outlook Express

Shipped with Windows Prior to Vista Files *.DBX & folder.DBX stored in

\Local Settings\ApplicationData\Identities\\Microsoft\Outloo

k Express Last compaction data indicated by

cleanup.log file in the same folder Deleted messages not actually removed

until compaction Deleted DBX files will likely appear in

unallocated space, as they are copiedbefore compacting


30/65

Current Windows Mail

Installed in Vista+

Files *.EML & *.FOL stored in\AppData\Local\Microsoft\Windo

ws Mail Deleted mail (individual EML files) moved

to Deleted Items under this folder. Notcleared by default.

Users can manuallly delete, or can set anoption to periodically clear deleted itemsfolder.


31/65

Thunderbird

Files (no extension) & *.MSF storedin \ApplicationData\Thunderbird\Profiles\.default\Mail\ Compaction is only done manually

by default

After compaction, email fragmentsare typically still present inunallocated space


32/65

Eudora

Files *.MBX & *.TOC stored in\ApplicationData\Qualcomm\Eudora

Settings stored in eudora.ini Attachments are stored in a

separate Attach subfolder

Message deletion results in markingmessages deleted, but notoverwriting unless compacted


33/65

Other Email Clients

Many use the same file extensions

Examine installed applications for

other email clients Look in associated Program Folders

or similar folder under user profile.

Use keyword searches to find email

Look for exported email

.TXT, .HTM, .EML, .MSG, etc.


34/65

Appointments & Contacts

Calendar data .ICS, .SDB (SQLite), .PST

Address Books .WAB (binary), .VCF (text), .PAB

(binary), .MAB, .NNT (text)

Tasks .SDB (SQLite), .PST

SQLite data can be examined directlyusing the SQLite Database Browser


35/65

Incident Response: What not to do

1. Panic

2. Reimage the affected systems

3. Downplay everything you can

4. Paper over the holes

5. Fire somebody

6. Blame consultants for everything

else7. Lather, Rinse, Repeat


36/65

Incident Response

The six phases of the standard IRmodel

1. Preparation (most important)

2. Identification

3. Containment

4. Eradication

5. Recovery6. Follow-Up (also most important)


37/65

If you havent prepared

Its going to cost you1. Remain calm. Panic begets panic.2. Document events thoroughly so that new

participants can be brought up to speed

quickly, and for future reference3. Notify the right people. If you cant figure

out who the right people are, start up thechain of command, and branch outthrough whatever security group youre

aware of.4. Restrict knowledge of the incident to

those who need to know. This includesthe management chain, security, andanyone involved with responding to the

incident.


38/65


5. Dont use communications infrastructurethat may be compromised.

6.

Contain the problem. Remove systemsfrom the network quickly unlessnecessary to identify furthercompromise

7. Forensically image affected systems asquickly as practical for later analysis

8. Clean up affected systems. If able to

identify initial deficiencies, correct them


39/65


9. Restore systems from backup(after ensuring the backups areclean). Monitor systems closely fora few weeks to ensure theyre notcompromised again

10. Learn from this experience, and

implement a formal set of IncidentResponse practices


40/65

Preparation

Proactive Incident Prevention & ResponseFacilitation Techniques includesdeployment of detection infrastructure

Create a formal written incident responseplan

Select IR team members and organize theteam

Develop an emergency communications plan Provide easy reporting facilities for events

that may trigger incident response

Train IR team members


41/65

Preparation

Establish guidelines for cooperationfrom other groups that may be requiredto contribute

Ensure smooth two-way communicationwith IT administrators

Develop interfaces to Law Enforcement

and other CIRTs


42/65

Identification

Assign one person responsibility for theincident central point of contact fortracking & coordination

Determine whether reported activity isactually an incident

Maintain careful chain of custody ifthere is expectation that lawenforcement may be involved

Coordinate with ISP and/or Networkinggroup

Notify appropriate officials


43/65

Containment

Deploy on-site team to survey thesituation

Keep a low profile Avoid, where possible, running potentially

compromised code Forensically image affected systems Determine the risk of continuing

operations while responding

Keep system owners informed, but dontdiscuss blame Change passwords


44/65

Eradication

Determine cause and symptoms

Improve defenses harden systems& networks

Vulnerability analysis

Remove the original cause of theintrusion

Locate the most recent cleanbackups for affected systems


45/65

Recovery

Restore the systems

Validate the systems

Fully inform system owners & allowthem to decide when to returnsystems to service

Monitor the systems for recurrence

or simila activity


46/65

Follow-Up

Develop a follow-up report

Reporting is a priority as soon as incident isclosed

Report should be compiled by the peoplewho were actually involved on-site

All affected parties should review reportdraft

Reach consensus or document disagreement

Conduct a lessons-learned meeting toidentify changes which may mitigate similarincidents in the future


47/65

Follow-Up

Create executive summary formanagement: cost, impact,recommended changes to follow

Send recommended changes tomanagement: prioritized, costs,proposed schedule, & impact of

implementing or ignoring Implement approved changes


48/65

Malicious Code Incidents

AV Software 80% effective for non-targeted

Encourage users to report anomalous behavior

Monitor for abnormal outgoing traffic (Iveheard good things about Extrusion Detection:Security Monitoring for Internal Intrusions byRichard Bejtlich sadly, not on the librarysite)

Use a standardized OS image & install process,and do not allow users Admin rights

Develop contacts in the malware analysiscommunity

Commercial sandboxes can aid with analysis


49/65

Link/Shortcut Files (.LNK)

Whenever a file (local or remote) isopened using Explorer, a shortcutfile is created:

\Recent (XP)

\AppData\Roaming\Microsoft\Windows\Recent (Vista/7)

\AppData\Roaming\Microsoft\Office\Recent (Vista/7)


50/65

Shortcut file contents

Begins with magic value 4C 00 00 00 (L NULL NULL NULL)

Four byte file length at offset 34h (easy to carve)

Timestamps from original file when shortcut last accessed

Size from original file when shortcut last accessed

Volume Info: Name, Type (HD, Removable, Remote, CD),Serial#

Network Share Name, if any

Long & short filename

Original File Path

FileLocation (ObjectID [contains MAC address]+VolumeID) Two different ones if file has been moved between 2 NTFS

volumes

Other misc data see whitepapers


51/65

Shortcut Analysis

MiTeC Windows File Analyzer

lslnk.pl from Windows ForensicAnalysis DVD Toolkit 2E by HarlanCarvey

lnk-parse.pl by Jake Cunningham


52/65


Replaced the old Quick Launch toolbar fromXP

Allows user to pin a program to the taskbarfor similar functionality

Actual implementation substantially morecomplicated, similar to & used like the old MyRecent Documents shortcuts.

Recent Items in the Win7 start menu goes to a

folder that contains both shortcuts and Jump Lists

Applications can define custom right-clickoptions for their Jump Lists


53/65


Another way to note opening orcreation of files

Records file access for specific

applications Lists can contain up to several

hundred items, though only a feware shown

Another way to identify previousexistence of deleted or wiped files


54/65


Two Types

Automated Created by the application only

\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Custom Created by tracking users habits, similarto the Userassist start menu

\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

If an application is registered as a handler fora file type (not necessarily the default handlerfor that type), then items of that type canappear in its jump list.


55/65


Jump Lists are linked to unique AppIDs.For common applications, these areassigned by the developer. For others

they are generated based on the processname.

Different command arguments for thesame application can result in a different

AppID


56/65

Custom Destinations

File name is .customDestinations-ms

Create time is first execution of application

Modification time is last time application

opened a file File contains an embedded .LNK file which can

be carved out (LNK header is\x4c\x00\x00\x00\x01\x14\x02, file size is 4bytes at offset 34h), and analyzed

Other contained information is custom perapplication


57/65

Automatic Destinations

File name is.automaticDestinations-ms

Create time is first execution of

application Modification time is last time application

opened a file

Contained data is stored usingStructured Storage Format, and can beparsed using MiTeCs StructuredStorage Viewer


58/65


Frequently, applications will haveboth Automatic and Custom jumplists


59/65

Viewing Automatic Destinations inStructured Storage Viewer

Streams stored numerically fromearliest (usually 1) to the most recent

To recover the link, simply right-click

on the stream and save as a .LNK file Examine extracted link files using the

MiTeC Windows File Analyzer

Expect there to be overlapping datafrom the registry, link files, and jumplists. If theres none, you should usuallythink about why.


60/65


Brief demo of examining anAutomatic jump list usingStructured Storage Viewer

Brief demo of examining exported.LNK file with MiTeC Windows FileAnalyzer


61/65

Prefetch/Superfetch Files (.pf)

Used to increase performance bypreloading code pages for commonlyused applications

Referred to as superfetch in Vista/Win7 Found in %Windir%\Prefetch

-.pf

Prefetch not cleaned out when exe isremoved

Up to 128 of them can exist at a time


62/65

Data in .pf file

File Signature (beginning of file) XP \x11\x00\x00\x00\x53\x43\x43\x41 (.SCCA)

Vista/7 \x17\x00\x00\x00\x53\x43\x43\x41 (.SCCA)

Contains paths of all files & folders accessed by

the program in the first 10 seconds Create time indicates when executable was first

run

Mod date & internal FILETIME indicate last time

Run Count Volume path & serial # for all files referenced

Prefetch\Layout.ini contains path information

File Size: 4-byte quantity at offset 0x000c


63/65

Prefetch Analysis

Prefetch Parser (for both XP &Vista) by Mark McKinnon of RedWolf Computer Forensics

prefetch.pl, vista_pref.pl fromWindows Forensic Analysis DVDToolkit 2E by Harlan Carvey

EnCase EnScript by Yogesh Khatriof 43llc


64/65

Reading for next week

Chapter 7 (Timeline Analysis) in theCarvey book Next weeks lecture will cover

Timelining Keyword Searching & Result Analysis

Using Autopsy (SIFT Kit)


65/65

Questions?

CNS 320 Week5 Lecture

Documents

Transcript of CNS 320 Week5 Lecture