Computer Forensics – Mobile Forensics –Cyber … SESSION 1...4/7/16 1 Computer Forensics –...
Transcript of Computer Forensics – Mobile Forensics –Cyber … SESSION 1...4/7/16 1 Computer Forensics –...
4/7/16
1
Computer Forensics – Mobile Forensics – Cyber Security – Lit Support Training
Module Objectives
• User Interface (UI)• Browsing History• Page Recovery• Local Searches• Local Browsing History – File Explorer• Internet Explorer 11 (IE11)
4/7/16
2
Microsoft Edge – Navigation
Tabs Address Bar Hub
Edge and Cortana Artifacts• There are four main
locations for browsing artifacts in Windows 10– Edge Application folder:
• C:\Users\<username\AppData\Local\Packages\Microsoft.MicrosoftEdge_<id#>
– Cortana Application folder:• C:\Users\<username\AppData\Local\Pack
ages\Microsoft.Windows.Cortana_<id#>
– Registry – NTUSER.DAT• C:\Users\<username>
– Registry – UsrClass.dat • C:\Users\<username>\AppData\Local\Mic
rosoft\Windows
C:\Users\<username>\AppData\Local\Packages
4/7/16
3
Edge – Hub
Reading View
Favorites
Reading List
Write on the Web
Share
More Actions
MS Edge - Favorites
4/7/16
4
Edge–Favorites (File System)
C:\Users\<username>\AppData\Local\Packages\<msedge>\AC\MicrosoftEdge\User\Default\Favorites
Edge – Favorites (Registry)
UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\<foldername> / Order
``````
4/7/16
5
Edge – Favorites Hub
History Downloads
Edge – History
History
• The History drop down menu displays history by time / day / week
• Objects can be removed from view by clicking the X button to the right– This removes the history from the
drop down, but it remains in the file system artifacts; TIFs and WebCacheV01.dat
4/7/16
6
Edge – Deleted History
Edge – Browser Recovery
Tab 1 - SyntricateTab 2 – ArcLight CinemasTab 3 – Seaturtle.org
4/7/16
7
Tab 1 - SyntricateTab 2 – ArcLight CinemasTab 3 – Seaturtle.org
• Recovery tracks Edge open tabs
• Each tab has a .dat file
• One overall RecoveryStore
Edge – Browser Recovery
Tab 3 – Seaturtle.org Offset 620
• Each tab.dat file has a date/time stamp when opened at offset 620
• .dat files retained until next launch of Edge
Edge – Browser Recovery
4/7/16
8
Edge – Downloads
Downloads
• The Downloads drop down menu displays the latest downloads in descending order with the last one on top
• Clicking on a download will launch whatever that file does– i.e.: Clicking on CuteWriter
launched the installer for it
Edge Address Box
Edge – Download Artifacts
WebCacheV01.dat
4/7/16
9
Edge – Download Artifacts
• Pages are stored in the Edge AC #!001 folder under the MicrosoftEdge\Cache folder
WebCacheV01.dat references
Site
Sent To
Edge – Download Artifacts
4/7/16
10
• A compilation of the WebCacheV01.dat entries can be made with a third party tool to see the progression of the download
• Nirsoft was used here to combine the entries of the different containers into a spreadsheet and a sort on times
• It shows the start of the process with an Edge browser search for the database viewer leading to the completed download
Query Navigation Download
Edge – Download Artifacts
WebCacheV01.dat references
Edge – Download Artifacts
File Explorer
• The WebCacheV01.dat also stores a table called iedownload
• Once located, shows a record of each download by GUID
• I was unable to match the GUIDs to their associated file
• I was able to match them by date and time stamp
4/7/16
11
MS Edge – Reading list
• Allows users to save web pages for later reading
• Can be marked on or annotated with a “note”
• Can be saved and shared – Mail– OneNote
• Can arrange in Categories
MS Edge – Write to the Web
• You can:– Annotate
with a note*– Mark up– Highlight text– Save– Share
• Mail• OneNote
* It appears notes may be broken. You can create it but not see it later
Actual Page
Stored Page
4/7/16
12
Edge – Reading List Artifacts
• There are three main locations where Reading List artifacts are stored:– WebNotes folder– Spartan.edb– ReadingList folder
C:\Users\<username>\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge and \#!001
Edge – Spartan.edb
• Reading List entries are stored in the spartan.edb– Description above– Pointer to assigned
thumbnail for the page– Description and URL below
Spartan.edb
4/7/16
13
Edge – Spartan.edb
• The date and time for archiving the reading list is stored at the beginning of the entry– 64-Bit Windows date and time stamp– One byte back from beginning description
Spartan.edb
Edge – Reading List• Besides the
reference to the Reading List entry, the Spartan.edb file also contains a pointer to the thumbnail in the ReadingList folder
ReadingList
4/7/16
14
Reading List Spartan.edb
• Spartan.edb can be parsed out with 3rd-party tools like Nirsoft• Or, in FTK
– The FTK version is not subject to varying tables and columns– But, the FTK version does parse out the Added and Last Accessed
dates and times
Reading List Spartan.edb
4/7/16
15
Reading List Spartan.edb
Points to Reading List path
Reading List Spartan.edb
Points to WebNotes path
4/7/16
16
WebNotes #!001
Edge – Shared Pages
Share will be covered in more detail in Module 5,
OneNote for Registry entries
NTUSER.DAT\SOFTWARE\Microsoft\Windows\Current
Version\Explorer\SharingMFU
4/7/16
17
Edge – Searches
Edge – Searches WebCache
FTK View
4/7/16
18
Edge Searches – WebCache
• Two searches were made: – “birdocide search from edge” typed in but not entered– “birdocide stuff images” typed in and entered
• Both registered to the WebCacheV01.dat in type ahead format
Edge – Searches – Recovery
4/7/16
19
Edge – Registry Artifacts
• Microsoft Edge uses a different registry file to store information rather than the NTUSER.dat file normally used
• UsrClass.dat is used to archive user profile registry data
C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat
Edge – General App Info
• Windows App info is stored in Local Settings
• Each app has an identifier similar to Windows 8
• Edge and Cortana add an important new dimension to this storage location
AppContainer Subkey
4/7/16
20
Edge – History Days to Keep
• DaysToKeep URL History
• It is defaulted to 90 days in Edge
• During testing no UI for setting this lower
• Edge still permits clearing history
In Private Browsing is still supported
UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb
3d8bbwe\MicrosoftEdge\InternetSettings\Url History / DaysToKeep
Edge – InPrivate Browsing
• IPB is accessed thru the Settings icon in the Hub
• All of the Edge files / settings function as if no IPB is used
www.rajaampat-divelodge.com
4/7/16
21
Edge – InPrivate Browsing
• Upon shutting down the session, the file system artifacts are deleted (but potentially recoverable)
• WebCache is not completely deleted
Edge – IPB After Reboot
WebCacheV01.dat
Recovery
4/7/16
22
Edge – IPB Recovery Folder
Note the reference to:about:inprivate
Edge – TypedURLs
• Microsoft Edge maintains its own TypedURLs • Stored in the UsrClass.dat
4/7/16
23
Edge – TypedURLs Hyperlink
Edge TypedURLs IE TypedURLs
Edge – TypedURLs
• Microsoft Edge maintains its own TypedURLs keyset
TypedURLs TypedURLsTime TypedURLsVisitCount
4/7/16
24
Edge – App Install Time
• Microsoft Edge maintains its own TypedURLs keyset
• Stored in the UsrClass.dat
UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families\Microsoft.Microsoftedge_8wekyb3d8bbwe\Microsoft.MicrosoftEdge_20.10240.16384.0_neutral__8weky
b3d8bbwe / InstallTime
• App install dates and times stored - Families subkey• Stored in the UsrClass.dat
AppModel Subkey
Edge – App Information
4/7/16
25
Internet Explorer in Win10
• Uses WebCacheV01.dat to track • File System artifacts have changed• Traditional Registry entries intact
Internet Explorer in Win10• TIF objects
and pages are under INetCache folder
C:\Users\<username>\AppData\Local\Microsoft\Windows\INetCache
4/7/16
26
IE WebCacheV01 Tracking
Query: loreto mexico liveaboard diving
Clicked on the aquacatcruises link
Internet Explorer Registry
Typed URLs
TypedURLsTime
IE History
Main Key
• No major changes to the registry functions for IE
4/7/16
27
Computer Forensics – Mobile Forensics – Cyber Security – Lit Support Training
Cortana• Cortana is Microsoft’s answer
to Apple’s Siri• Cortana is a voice / type-in
interface added to Win10• Cortana works together with
MS Edge / Project Spartan browser
• Cortana is identified by the “Ask me anything” text box at the Start menu
• Click on “Ask me anything” to bring up the Cortana interface
4/7/16
28
Anatomy of a Cortana Search
• Cortana searches made from the “Ask me anything” box
Search Term Entered:
Toucan Sam
Cortana Searches WebCache
• WebCacheV01.dat hits shown using Nirsoft• Note type down nature of the search letter by letter
4/7/16
29
Cortana Searches WebCache
• WebCacheV01.dat hit for toucan sam• Entry points to INetCache container directory• Entry points to .json file where data is stored in Cortana
Cortana Searches .JSON Files
• Cortana searches that make it to the .json files are stored in four folders in the INetCache folder
• Each references searches made at that specific time. • Toucan Sam search made at 10:18:42• Contains actual searches and suggested hits
4/7/16
30
Cortana Searches .JSON Files
• Cortana searches that make it to the .json files are stored at:
C:\Users\<username>\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\INetCache\<folder>\Suggestions<#>.json
SuggestionsH55LZSF8.json
Cortana Searches .JSON Files
Query
Suggestions
• .json file parsing in FTK
• The query comes first
• Queries are predicated with a “url” designation
• Suggestions come below the Confidence Score
4/7/16
31
Cortana Searches Link Files
• Cortana voice searches may also be stored as a .lnk file• Not all searches are stored here• Uses a %20 as space between words• With voice searches, Cortana stores what she thinks you said• Note the Unix Numeric Value date and time stamp in nameLink Files: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent
Cortana Searches Jump Lists
• Cortana may also store search hits in the Jump Lists• ID#: 9d1f905ce5044aee.automaticDestinations-ms
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
4/7/16
32
Cortana Searches Jump Lists
64-bit Windows Date/Time
Unix Numeric Date/Time
Cortana Searches – DestList
• The DestList may have search results as well• It will also have the Windows and Unix date and time stamps
4/7/16
33
Cortana Searches – Voice
Run a Utility
Look for Files
Ask a Question
Cortana Searches – NTUSER
• Searches may also be archived in the NTUSER.DAT• In the FileExts subkey under .com extensions• The date and time last written is typically the date and
time the search was conducted
4/7/16
34
Cortana Searches .com Links
• Spoken Search– “How big is a dawg” (translated by Cortana from “dog”)
• Typed Search– “Whitetips photo”
Cortana Searches RecentDocs
• Cortana voice searches may also be stored in RecentDocs• Uses a %20 as space between words• Cortana stores here what she thought you said• Not all spoken searches end up here• Note the Unix Numeric Date and Time stamp in the key name
4/7/16
35
Cortana Searches RecentDocs
• Cortana
Searches – Speech Render
• Speech_render[#].htm– Yet another way to find speech searches in Cortana
C:\Users\<username>\AppData\Local\Packages\<cortana>\AC\INetCache\<id#>