CNS 320 Week8 Lab
of 17
Transcript of CNS 320 Week8 Lab
-
7/28/2019 CNS 320 Week8 Lab
1/17
1
CNS 450 COMPUTER FORENSICS &INCIDENT RESPONSE
Week 9 Lab
Copyright 2012, John McCash. This work may be copied, modified, displayed anddistributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nc/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/ -
7/28/2019 CNS 320 Week8 Lab
2/17
Hands-on Extraction & Analysis (2)
1. Volume Shadow Copy Analysis Vshadowmount (Linux)
2. Internet Explorer Artifacts Galetta (cookies)
Pasco (cache)
Id32 (generic index.dat parser)
Mandiant Web Historian (Windowsonly)
-
7/28/2019 CNS 320 Week8 Lab
3/17
For convenience, escalate to a root shell
sudo bash
-
7/28/2019 CNS 320 Week8 Lab
4/17
Yet Another New Image
Enabled VSCs on my Windows SIFT Kit,then:
Created desktop folder Restore_Point_Test
manually created a shadow copy Copied a file into the folder
manually created a 2nd shadow copy
Removed file and added another of similar size
manually created a 3rd shadow copy
Removed 2nd file
Logically imaged C: with FTK Imager
Win7_VSC_Restore_Point_Test.E01 4
-
7/28/2019 CNS 320 Week8 Lab
5/17
Volume Shadow Copy Analysis
ewfmount Win7_VSC_Restore_Point_Test.E01 /mnt/ewf
vshadowmount o 0 /mnt/ewf/ewf1 /mnt/vss
mount -o loop,ro /mnt/vss/vss1 /mnt/shadow_mount/vss1
mount -o loop,ro /mnt/vss/vss2 /mnt/shadow_mount/vss2mount -o loop,ro /mnt/vss/vss3 /mnt/shadow_mount/vss3
Examine the folders under the three mounted restore points for
the files I created inC:\Users\SANSForensics408\Desktop\Restore_Point_Test
5
-
7/28/2019 CNS 320 Week8 Lab
6/17
Mount the dblake Image in the Linux
SIFT Kit as before
-
7/28/2019 CNS 320 Week8 Lab
7/17
xp_dblake.dd mounted
-
7/28/2019 CNS 320 Week8 Lab
8/17
(8) Internet Explorer
Run galetta against all of theDonald Blake users cookie files
-
7/28/2019 CNS 320 Week8 Lab
9/17
Run galetta against all of the
Donald Blake users cookie files
-
7/28/2019 CNS 320 Week8 Lab
10/17
Galetta
Examine the output
Look at the __utma Google Analytics cookiesfor various websites, & decode the dates
using dcode.exe on the Windows SIFT Kit From this, what were three different dates
when the subject visited winzip.com?
Run 1183244089, 1231967273, &
1231967349 through dcode to get theassociated UNIX Text timestamp values
-
7/28/2019 CNS 320 Week8 Lab
11/17
__utma (Timestamps in UNIX Epoch Time)
Contents similar toXXXX.RRRR.FFFF.PPPP.CCCC.N
XXXX Hash of clients domain
RRRR Random unique ID for client FFFF Date of first visit to site (probably
following the last clear of cookies)
PPPP Timestamp of previous (last) visit
CCCC Current timestamp
N Number of sessions since first visit(Incremented each time new session startedafter first)
-
7/28/2019 CNS 320 Week8 Lab
12/17
Run pasco against the dblake Internet
Explorer Cache index.dat file
-
7/28/2019 CNS 320 Week8 Lab
13/17
Examine Pasco Output
Open OpenOffice
Insert -> Sheet from file
Check the tab delimited box After importing, reformat column
widths and select wrap on
Sort all below header by column D(ACCESS TIME)
-
7/28/2019 CNS 320 Week8 Lab
14/17
Run id32 against all dblake index.dat files
Id is in the Linux SIFT Kit accordingto the docs, but I cant find it
Download fromhttp://tzworks.net/download_links.php
Both Linux & Windows versions are
available
http://tzworks.net/download_links.phphttp://tzworks.net/download_links.phphttp://tzworks.net/download_links.phphttp://tzworks.net/download_links.php -
7/28/2019 CNS 320 Week8 Lab
15/17
Run id32 against all dblake index.dat files
-
7/28/2019 CNS 320 Week8 Lab
16/17
Examine id32 Output
Open OpenOffice
Insert -> Sheet from file
Check the comma delimited box After importing, reformat column
widths and select wrap on
Sort all below header by columns C(access date) and D (acess time)
-
7/28/2019 CNS 320 Week8 Lab
17/17
17
Questions?
