Data Mining Windows Recycle Bin User Filesathena.csus.edu/~cookd/116/notes/CSc 116 - Summer...
Transcript of Data Mining Windows Recycle Bin User Filesathena.csus.edu/~cookd/116/notes/CSc 116 - Summer...
1
Data Mining Windows User Files
Week 3 – Part 2
Windows Recycle Bin
It’s just a folder!
… an odd, strange, cheeky folder
Based of a recycling bin metaphor• place trash into the bin
• items in the bin will stay there until…
• …bin is emptied (or gets too full)
Recycle Bin has evolved over time
With every new major version:• location has changed
• format of deleted data has changed
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 3
Windows Recycle Bin
1. It is actually, simply, moved to a special (hidden) folder on the same volume as the deleted file
2. This file is then renamed
3. Windows saves information about the files deletion time, original location, original filename, etc…
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 4
When a File is Dragged into it…
First, it is possible that two files, with the same name, can be deleted. The rename prevents a filename conflict
Second, the new name can be use a database key. This is the case with INFO
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 5
Why Rename the File?
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 6
Each volume has its own folder – C:, D:, etc…
Recycle Bin Location
Operating System Location
95, 98, ME volume:\Recycled\
XP, NT, 2000 volume:\Recycler\SID
Vista, 7, 8, 10 volume:\$Recycle.Bin\SID
2
Windows XP renamed the folder to Recycler
Deleted files are renamed with a “D” prefix
When the Recycle Bin is emptied, the “D” files are deleted
Windows XP / 2000 Recycle Bin
Recycle Bin Folder C:\Recycler
Rename Format D<original drive letter><random>.<original extension>
Deletion Data INFO2
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 7
Windows XP / 2000 Recycle Bin
Information about each deleted file is stored into database file named INFO
If when the Recycle Bin is emptied, the history will still be left in INFO
Windows XP / 2000 Recycle Bin
Recycle Bin Folder C:\Recycler
Rename Format D<original drive letter><random>.<original extension>
Deletion Data INFO2
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 8
Windows XP / 2000 Recycle Bin
Presence of deletion data in the INFO file…
• implies that the file was intentionally deleted
• files deleted by applications are not normally sent to the Recycle Bin
For each file, in the recycle bin, it contains:
• original path and filename of file
• time and date of file deletion
• new filename in the recycle bin (e.g. DC42.txt)
• index # in the recycle bin. If the system clock was changed, this can establish the order of deletion
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 9
The INFO File
The Recycle Bin folder is now $Recycle.Bin
Deleted files are renamed using a different format than XP
Deletion data is no longer stored in a single database
Windows Vista / 7 Recycle Bin
Recycle Bin Folder C:\$Recycle.Bin
Renamed Filename $R<random>.<original extension>
Deletion Data $I<random>.<original extension>
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 10
Windows Vista, 7, 8, 10
Each "R" file (the original) has a matching “I” file
It contains the deletion data
When the Recycle Bin is emptied, the "I" files may still remain
Windows Vista / 7 Recycle Bin
Recycle Bin Folder C:\$Recycle.Bin
Renamed Filename $R<random>.<original extension>
Deletion Data $I<random>.<original extension>
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 11
Windows Vista, 7, 8, 10
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 12
Windows 7 Recycle Bin
Windows Explorer Shows the current SID as “Recycle Bin”
3
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 13
Windows 7 Recycle Bin
Info file
Deleted file
Windows Profile Basics
You have to know where to look
Windows maintains a special folder for storing user data
For each user on the system, there is a subfolder for their files and settings
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 15
User Root Folder
The folder is named using the username rather than the SID found in the Registry
This folder is great interest to the investigator (understatement)
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 16
What's In This Folder
The data includes:
• Application data (hidden)
• User registry file (ntuser.dat)
• My Documents
• Cookies
• Desktop
• Favorites
• NetHood (hidden)
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 17
User Root Folder
However – just to make things fun – each version of Windows uses a different folder to store user data
As a result, you must know the version to know where to look
Fortunately, it can be quickly ascertained on inspection… unless the suspect is trying to trick you
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 18
Windows User Folder
4
Windows 95, 98 and ME
• Windows main folder is simply used if the computer is not setup for multiple users
• If multiple users are setup, a subfolder of Windows is used called “profiles”
Windows NT (and above) also adds:
• Administrator
• All users
• Default user (hidden)7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 19
Windows User Folder
Windows XP and 2000
• Use a folder called “Document and Settings”
• Stored at the root folder (C:\)
Windows 7, 8, 10
• The folder was renamed “users”
• Still stored at the root level
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 20
Windows User Folder
Version Location
95, 98, ME
C:\Windows\
C:\Windows\profiles\username\
NT C:\WinNT\profiles\username\
XP, 2000 C:\Documents and Settings\username\
Vista, 7, 8, 10 C:\Users\username\
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 21
Windows User Folder
Version Location
Mac-OS X /Users/username/
Linux /home/username/
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 22
Other Operating Systems
Temporary Internet Files
We do everything online, and leave tons of evidence
Systems connected to the Internet usually contain a wide variety of relevant data
These include:
• Web sites visited
• temporary Internet files!!
• chat room logs
• files downloaded
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 24
Internet Files
5
There are five major web browsers:
• Microsoft's Internet Explorer (aka “IE”)
• Microsoft Edge
• Mozilla Firefox (related to Netscape)
• Google Chrome
• Apple Safari
Browser popularity is constantly changing
So, knowing all browsers is important
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 25
Browser Files
Data the user, generally, knows about…
• saved passwords
• favorites (aka bookmarks), etc…
• page history list
Data they, generally, don't know about…
• cache files – saved for efficiency
• cookies
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 26
Browser Files
Browsers store parts of the websites you visit on your computer called the cache
This is true of all modern browsers including IE, Edge, Firefox, Safari, Google Chrome, etc…
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 27
Web Browser Cache
It helps load websites faster if you revisit them
For example:
• cache may contain an image
• the next time you visit the same website, the browser can use the cached file
• rather than re-download it
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 28
Web Browser Cache
You can find temporary files of pages the suspect has viewed
Examples:
• in the case of browser based e-mail, the file can be a webpage file with the e-mail
contained in it!
• if the user viewed porn online, these images can be in the cache
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 29
Web Browser Cache
Date-time stamp of the file is great evidence
Corresponds to the date-time that the Webpage (and its associated files) was viewed
Correlate this with the date-time stamp of files downloaded to determine the origin of such files
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 30
Web Browser Cache
6
Browsers often maintain list of sites the user has visited
• it’s a bit of a privacy risk
• remains intact when the cache files are deleted
• some browsers can auto-clear the history when the browser is existed
Tools exist to display the contents in a nice, usable format
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 31
Web Browser History
Cookies are text files saved on your computer by websites
• these are created (“baked”) by the web server
• only visible to the site that created them
They are used legitimately to
• keep you logged onto a website
• maintain temporary session data
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 32
Cookies
Cookie timestamps may also provide useful information about what sites were visited and when
The contents can be interpreted by the site that generated them
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 33
Cookies
Internet Explorer Files
Data-mining Internet Explorer
Created by Microsoft
Was “fused” into Windows with the release of Windows in 98
Even though the GUI has changed, significantly over time, each works the same “behind the scenes”
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 35
Internet Explorer
Location of the cache (temp) folder is not obvious
Although the user folder contains a subfolder called “Internet Explorer" this is not where the files are stored
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 36
Internet Explorer Cache
7
Instead…
• they are in “Temporary Internet Files”
• history file is in the “content.ie5” subfolder
• a subfolder of “content.ie5” (with a randomly generated name) contains the cache and cookies
This is true of all versions of IE (even up to version 10)
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 37
Internet Explorer Cache
Internet Explorer cached files are renamed, but preserve the original extension
Note: The Windows front-end tends to lie
• if you use Explorer to get to “temporary Internet Files”, it shows you an abstract – not real data
• “temporary internet files” is actually hidden from view – even if you select "Show Hidden
Files"
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 38
Cache Files
History is stored in “index.dat”
• also contains hash indexing for the cache
When the user clears the history…
• IE does not delete the file or wipe data
• just like a hard drive, space is marked as “unallocated” and can be recovered
• so, even if the suspect thinks they are covering their tracks, they are sadly mistaken!
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 39
Internet Explorer: History
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 40
Each path is located within the user’s root folder
Internet Explorer: Cache, and Cookies
OS Location
95, 98, ME, NT …\Temporary Internet Files\Content.ie5\random\
XP, 2000…\Local Settings\
Temporary Internet Files\Content.ie5\random\
Vista, 7, 8, 10…\AppData\Local\Microsoft\Windows\
Temporary Internet Files\Content.ie5\random\
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 41
Each path is located within the user’s root folder
Internet Explorer: History
OS Location
95, 98, ME, NT …\Temporary Internet Files\Content.ie5\index.dat
XP, 2000…\Local Settings\
Temporary Internet Files\Content.ie5\index.dat
Vista, 7, 8, 10…\AppData\Local\Microsoft\Windows\
Temporary Internet Files\Content.ie5\index.dat
Microsoft Edge Files
Microsoft's new browser
8
Microsoft formally retired Internet Explorer with the release of Windows 10
Although, IE is still included
Microsoft, instead, has a new browser called Edge (originally called Spartan)
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 43
Microsoft Edge Files
Edge is odd – it modernizes some of the behavior of IE, but maintains the older approach as IE
The folders used by Edge very buried very, VERY, deep in the Application Data folder
Each version changes the folder (since it is based on a file version hash
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 44
Microsoft Edge Files
History file information…
• is shared with Internet Explorer!
• though, the slightly moved the folder
And – while buried very deep – the cache style used by Edge is identical to IE
So, one can argue that Edge is IE
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 45
Here it Gets Weird
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 46
Each path is located within the user’s root folder
Edge Cache
OS Location
Windows 10
…\AppData\Local\Packages\
Microsoft.MicrosoftEdge_random\AC\#!001\
MicrosoftEdge\Cache
Mozilla Firefox Files
Data-mining Mozilla Firefox
Created by Mozilla
Generally considered more secure than IE or Chrome
Interesting features
• anti-phishing technology (urlclassifier)
• built-in spell checker!
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 48
Mozilla Firefox
9
FireFox generates a unique “ID” for each user on the system
• this is separate from the Windows username
• the ID is used to create a subfolder for each user in the application data folder
FireFox uses “SQLite” database files
• browser history is stored into a “places.sqlite”
• cookies are stored into “cookies.sqlite”
• tools can read the contents of SQLite files7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 49
Firefox SQL Files
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 50
Each path is located within the user’s root folder
Firefox History
OS Location
95, 98, ME, NT…\Application Data\
Mozilla\Firefox\Profiles\ID\places.sqlite
XP, 2000…\Application Data\
Mozilla\Firefox\Profiles\ID\places.sqlite
Vista, 7, 8, 10…\AppData\
Roaming\Mozilla\Firefox\Profiles\ID\places.sqlite
Cached files, like IE, are stored in a folder
• but the name and extension are both changed
• In Windows Vista, 7, the cache is stored under the Local folder of Application Data
There are three types of files:
• Cache Map File
• Three Cache Block Files
• Separate Cache Data Files
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 51
Firefox Cache
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 52
Each path is located within the user’s root folder
Firefox Cache
OS Location
95, 98, ME, NT…\Application Data\
Mozilla\Firefox\Profiles\ID\cache\
XP, 2000…\Application Data
\Mozilla\Firefox\Profiles\ID\cache\
Vista, 7, 8…\AppData\
Local\Mozilla\Firefox\Profiles\ID\cache2
Filename Description
content-prefs.sqlite User-specific settings
cookies.sqlite Cookies
downloads.sqlite Download history
formhistory.sqlite Items typed into online forms and search bars
permissions.sqlite Site-specific settings – cookies, scripting, etc…
places.sqlite Browsing History
search.sqlite Search engine plug-in settings
signons.sqlite Stored passwords
webappstore.sqlite DOM data – a more secure form of cookies
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 53
Other Firefox databases
Google Chome Files
Now the #1 browser
10
Created by the Google Corporation
Very minimalist graphical user interface
Recently became the most popular web browsers (replacing Internet Explorer)
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 55
Google Chrome
Cached files are stored in a folder
• like Firefox, name and extension are changed
• In Windows Vista, 7, the cache is stored under the Local folder of Application Data
There are three types of files:
• main Index file
• data files
• cache files
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 56
Chrome Cache
Like Firefox, the original extension and name are changed
Every piece of data stored in the cache has a unique "cache address"
Stored as a 32-bit (hex digit) code
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 57
Chrome Cache
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 58
Each path is located within the user’s root folder
Chrome Cache
OS Location
XP, 2000…\Application Data\Google\Chrome\User
Data\Default\Cache
Vista, 7, 8, 10…\AppData\Local\Google\Chrome\User
Data\Default\Cache
Quite interestingly, Chrome stores browser history in a SQLite database
This is the same system used by Mozilla Firefox - although, the record format is different
The "default" folder contains this, cookie files, bookmarks, etc…
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 59
Chrome History
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 60
Each path is located within the user’s root folder
Chrome SQL Files
OS Location
XP, 2000…\Application Data\Google\Chrome\User
Data\Default
Vista, 7, 8, 10…\AppData\Local\Google\Chrome\User
Data\Default
11
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 61
…\AppData\Local\Google\Chrome\User Data\Default\
Chrome Databases
Filename Description
Bookmarks Favorite websites (called bookmarks by Chrome)
Cookies Website cookies
Current Tabs Currently opened websites
History Browser history
Preferences User preferences (homepage, toolbars, etc…)
Windows File Metadata
Thar be gold in ‘dem files
Added in Windows 95 to make it easy for users to find files and programs
Shortcut can actually link to any a file or folder
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 63
Windows Shortcuts
The Start Menu, also added in 95, makes extensive use of shortcuts
Shortcuts, are actually files themselves with the extension .lnk
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 64
Windows Shortcuts
The target path
Type of volume (removable, fixed hard drive, etc)
Volume label and serial number
- this can be used to connect a file to a unique volume!
File’s size in bytes
Creation, last access, and modification times of the target
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 65
Shortcut Contents
Even if the target file is deleted, the shortcut may still exist
Existence of the link indicates the file did
exist – this may help you look in unallocated space and backups
Even if the file is not located, the shortcut may imply the data was copied to a removable disk!
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 66
Windows Shortcuts
12
Starting with Windows XP, the user can view a folder’s contents using “thumbnails”
Generating these thumbnails takes a lot of time and system resources
For efficiency, after Windows creates a thumbnail, it cachesthe image for future use
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 67
Thumbnail Databases
In Windows XP / 2000…
• every folder, that has images, contains a hidden file called thumbs.db
• this file contains the thumbnails in OLE format – same format used by Microsoft Office
The same thumbnail files are shared by any user that opens the folder
So, you can't tell who saw it
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 68
Windows XP, 2000
In Windows Vista, 7, 8…
• thumbnails were moved into a several central databases located in the user’s folder
• …\AppData\Local\Microsoft\Windows\Explorer
Now…
• each thumbnail folder is personal to the user
• now you can tell who created the thumbnail
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 69
Windows Vista, 7 ,8
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 70
Windows 7 Thumbnail Databases
Even if the original image was deleted… it still may be available in the thumbnail cache!
So, you can tell that the image did exist on the suspect’s computer and that they
looked at it!
Pedophiles have been convicted by this
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 71
Thumbnail Database
Several tools exist that can read them:
• Encase
• Windows File Analyzer
• Accessdata FTK
• OS Forensics
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 72
Thumbnail Database
13
Windows Spooler
What did the suspect print?
Even today, we still need to print documents (paperless
future? …Bah!)
So, printers are an essential part of computer technology
Printers are often networked so a single printer can be used by lab, office, etc….
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 74
Windows Spooler
There are some challenges…
• printers may have multiple users
• printers are slower than computers
• printers are all different – does every program need to know how to talk to every printer?
As a result, operating systems have a feature called the spooler
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 75
Windows Spooler
1. Applications send data to the spooler using the same format
2. Spooler saves the data and waits for access to the printer
3. It then sends the data
• at the printer’s speed
• the printer’s driver translates the spooler data for the printer
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 76
What happens…
The spooled data is stored in a folder on your computer
The location of the folder changed slightly between Windows 9x and XP
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 77
Windows Spool Folder
There can be data left in this folder that can be of great interest to the investigator
Warning…
• folder can be moved by the user – though VERY unlikely
• double check the registry
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 78
Windows Spool Folder
14
OS Location
95, 98, ME C:\Windows\Spool\Printers
XP, NT, 2000 C:\Windows\System32\Spool\Printers
Vista, 7, 8, 10 C:\Windows\System32\Spool\Printers
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 79
Default Print Spool Location
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 80
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Print\Printers
Registry: Print Spooler
Data is sent in either RAW or EMF
EMF (enhanced metafile format)
• most commonly used
• the same format for clipart!
RAW
• indicates the data will be sent to the printer exactly as stored
• e.g. Postscript, ASCII
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 81
Print Formats
For each print job, two files are created
The "spool" (.spl) file
• contains the data that is ready to print
The matching “shadow” (.shd) file
• contains print settings.
• includes the number of copies, print tray to use, print quality, and useful metadata
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 82
Print Spool Folder Contents
File File Pattern Contents
Spool File <Job ID>.SPL spooled data that is ready to be printed
Shadow File <Job ID>.SHD Print settings: # copies, tray, etc…
The Spool File has the extension SPL
The matching Shadow File has the extension SHD
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 83
Print Spool Folder Contents
There are a number of tools that can view spooler files
Some products
• EMF Spool Viewer
• O&K Printer Viewer
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 84
Spooler Viewers
15
Examining Logs
Not pleasant, but very useful
A log is a computer file that contains a recording of actions performed on a computer
There are tons of different log at your disposal created by servers, routers, applications, etc…
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 86
Examining Logs
Practically all logs use different formats
• most logs are stored in simple ASCII format and can be read by any text editor
• logs for similar systems – routers, web servers, etc… tends to contain the same data
• …but in different formats
Interpreting them requires time and caution
e.g.: time is displayed is it GMT or local?
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 87
Examining Logs
Logs are a wealth of information on dates, ports and IP Addresses
Sometimes the data payload may contain usernames and passwords
Log files and state tables of past and recent connections may be of use in an investigation
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 88
TCP/IP Related Digital Evidence
Authentication logs can show which account was associated with activity and often an IP
E-mail, Web and other Internet servers may also have authentication logs useful for connecting online activities with an individual.
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 89
Authentication Logs
Many Applications have logs containing information about peoples’ activities
FTP transfer logs can show files that were transferred or deleted.
Web server logs can record the client IP address and the file or pages that it requested.
E-mail server maintains logs of the headers of mail that it gets or sends
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 90
Application Logs
16
Operating systems also maintain log files of system activities
Unix systems generally retain more TCP/IP related information than Windows Event Logs
Newer versions of UNIX/Linux typically store their log files in /var/adm or /var/log
Most UNIX system logs only contain information about incoming traffic not outgoing
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 91
Operating System Logs
Network devices, such as routers, may log a history of communication
When useful…
• determine if two computers communicated with each other – i.e. send data
• good place to look in cases of stolen/transferred files
• also good to determine network intrusion
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 92
Network Device Logs
Router logs
• record all incoming and outgoing traffic
• have rules to allow or disallow traffic
• you can follow the path of a transmitted e-mail
Firewall logs
• filter e-mail traffic
• verify whether the e-mail passed through
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 93
Routers and Firewalls
Some devices have limited memory
• logs can take a large amount of hard disk space
• so, data can be overwritten after a certain time period has elapsed
Transmitted logs
• instead of storing logs locally, some devices send them over a network to other systems for logging
• UNIX/Linux maintains logs on network devices in /var/log/messages and /var/log/secure
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 94
Log Limits
Microsoft Exchange Server (Exchange)
• uses a database
• based on Microsoft Extensible Storage Engine
• logs information about MAPI (Messaging Application Program Interface) and more
Information Storage files
• .edb files – Responsible for MAPI information
• .stm files – non-MAPI information
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 95
Microsoft E-mail Server Logs
Tools allow you to find:• e-mail database files
• personal e-mail files
• offline storage files
• log files
Advantages..• don't need to know how e-mail servers/clients work
• saves considerable time
• however, you still need to understand the source and how the data was found – for court
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 96
Specialized E-mail / Log Tools
96
17
AccessData’s Forensic Toolkit (FTK)
ProDiscover Basic
FINALeMAIL
Sawmill-GroupWise
DBXtract
Fookes Aid4Mail and MailBag Assistant
Paraben E-Mail Examiner
Ontrack Easy Recovery EmailRepair
R-Tools R-Mai
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 97
Specialized E-mail / Log Tools