FORENSIC
PROCESS AND TRICKS CONT...
Finding the MAC address of the machine that wrote the document:
Load the Office document into a text editor and search for:-
PID_GUID
Closely following its location will be some unicode in braces, ({}),
separated by dashes. The last unicode is the MAC address of the NIC
that wrote the document. NOTE: Later in the book it claims that this is
only available in Word 97 documents.
Which programs has a user run?:
In WinXP only when ever a user runs a program a program called User
Assist captures the event. User Assist cannot be turned off - Bonus!!
User Assist records are encrypted... In ROT13. The User Assist records
are found in the registry at:
HKCU\software\microsoft\windows\currentversion\exp
lorer\userassist
There are two subkeys. Within them are all the programs a user has
executed and all the web pages a user has visited.
To recover User Assist entries from unallocated space search for HKZR_
which is fixed in each record.
A ROT13 decoder is available at:
http://tools.geht.net/rot13.html
Anti Forensic Technologies:
Obscurity Method:
This entails renaming a file or changing its extension to mask its true
nature.
The Unix FILE command uses file signaturing to determine the true
nature of the file regardless of its name or extension.
Encoding Methods:
This is where a file contents are altered to hide the contents,
(encrypted). It can be hard to determine the encryption method but in
Windows do not rule out ROT13.
Compression Method:
this involves compressing the data for storage or transmission. Export
the file from the image and try the standard compression engines for
the OS.
NTFS Alternate Data Streams:
This hides the file entirely behind another file - tools such as LADS
can show the existence of the alternate streams.
Slack Space:
This is the space in a re-used data sector that did not get overwritten
because the new data written was smaller than the old data written to
the data sector. Accurately and efficiently locating slack space is
nearly impossible without professional forensic tools.
Defeating Encryption:
Surprisingly the easiest way is to ask the subject for the key(s) and
encryption method. If they will not give it and a court is involved ask
the court to demand it. Failure to provide it to the court usually will
result in a contempt of court charge and is the way law enforcement
usually deals with encryption.
Steganography:
This is quite new and very difficult to locate. Usually your clue is
found elsewhere in the form of a steganography tool installed on a
machine. For .JPEG files there is an open source program at:-
http://www.outguess.org.php
Wiping:
If done correctly there isnt much to be done. It may be easy to show
wiping took place but the data may not be retrievable without
considerable resources. This is commonly known as secure deletion.
You may find elements of a wiped file in:-
Pagefile
MFT or FAT table
NTFS journal
Slack space
Backups of the system
the same locations apply for wiped slack space, unallocated space, etc.
Acquiring RAID systems:
You need to note the original sequence of the drives in the bays.
RAID 1 isn't so difficult to reproduce but the higher RAIDs can be more
difficult. Under Linux the command:-
mount -o loop,ro /path/to/image /path/to/where/to/mount
where -o is the local loopback and ro is for Read Only will supply you
with a read only RAID array if you can get it to mount. Then you can
use the raidtools program in Linux to build the array without changing
it.
NAS and SANS are too difficult!!!
Tapes:
Suck - there are so many formats and so much proprietary software to
write them that change so quickly that they are a pain.
In Windows you need to install Cygwin. Once installed you can issue the
following command because the Windows driver's automatically recognize
the block sizes and any other tape level settings:
dd if=/dev/st0 | less
Then:-
dd if=/dev/st0 > tape0
will copy the tapes data out to a file called tape0. NOT SURE - book is
unclear - check this!!!
TRAP - AGAIN? too much data - be careful - consult counsel - you could
lose the case by having too much data!
Email Analysis:
Outlook:
There are 9 file types associated with outlook:
1. .PST is the data file found in \documents and
settings\<user>\local settings\application data\microsoft\outlook
2. .OST are offline files found in
\documents and settings\<user>\local settings\application
data\microsoft\outlook
3. .PAB is the personal address book found in
\documents and settings\<user>\local settings\application
data\microsoft\outlook
4. .OAB is the offline address book found in
\documents and settings\<user>\local settings\application
data\microsoft\outlook
5. .NK2 are contacts nicknames found in
\documents and settings\<user>\local settings\application
data\microsoft\outlook
6. .RWZ are rules files found in
\documents and settings\<user>\local settings\application
data\microsoft\outlook - lf the import or export function has been used
the default location is
\documents and settings\<user>\my documents
7. .RTF, .TXT, .HTM are the signature files found in
\documents and settings\<user>\application
data\microsoft\signatures
8. .DIC are dictionary files found in
\documents and settings\<user>\application data\microsoft\proof
9. .MSG, .HTM, .RTF are saved messages found in
\documents and settings\<user>\my documents
While there are several tools available to analyze Outlook files it can
be done quite well with a new installation of Outlook.
Outlook Express:
Outlook Express uses .DBX files located in the following locations:-
Win2K\XP\2K3: \documents and settings\<user>\local
settings\application data\identities\<unique
string>\microsoft\outlook express
WinNT: winnt\profiles\<user>\local settings\application
data\identities\<unique string>\microsoft\outlook express
Win9X\ME: \windows\application data\identities\<unique
string\microsoft\outlook express
These files can be imported into Outlook Express for analysis.
Mozilla and Netscape:
The files for these programs are held in a single directory. The files
are similar to Unix email and are held as .TXT files and can be
analyzed in several ways.
America Online:
Mail can be held either on the computer or AOL's server. The file
format is proprietary and only a few tools can read the .PFC files.
http://www.hotpepperinc.com/emd.html is $120 for a single user and is
able to analyze these files.
Web Based email:
You have two choices - subpoena the ISP or reconstruct the data from
the drive. For reconstruction:-
Yahoo:
Search for showfolder, showletter, compose and attachments. There will
be a second compose file created when the email is sent - search for:
input type=hidden name=<field name> value=
the data immediately after will be the addressing information etc.
The body of the email can be found immediately after:
input type=hidden name=body value=
Yahoo files are unencoded and can be easily read but opening them in a
browser may not render all fields visible.
Hotmail:
Search for hotmail, doaddress, getmsg, compose and calendar.
Hushmail:
This is becoming more popular as a desire for privacy increases.
Fortunately, users dont understand that Hushmail only promises security
on the server and in transit not on the client thus the data can be
found by searching for:
hushappletframe.message.<e-mail field>
Tracking User Activity:
Office Documents:-
Documents sent by email for review have a wealth of information both in
its properties under File - Properties - Custom or held in .RCD files,
(either adhoc.rcd or review.rcd), in the users documents and settings
folder under \application data\microsoft\office.
Recovering undo information:
If a document is saved with quicksave turned on then it is quite
possible that any undo information will remain within the document
which will be easily visible in a hex editor. You may be able to
recover multiple changes that go back some way.
Past Filenames:
Older office documents keep every filename the file was ever saved as
which can point to network drives or removable media the suspect used.
The filenames are held in unicode and using Strings from SysInternals
with the -u option will find them for you.
Office documents can be very valuable if you look beyond that which is
obvious though it is important to remember that this evidence is
non-authoritative and should only be used to corroborate other evidence
or to help find new evidence.
Tracking Internet Use:
Internet Explorer:
It is far from easy for a user to hide their activity in IE. While all
the data is available for the investigator in the form of multiple
index.dat files it is important to understand how IE stores this
information should you ever find yourself in a courtroom.
There are two command line tools that can assist in the process of
tracking the user in IE. Both are available from Foundstone. The first
is Pasco which parses index.dat files and the second is Galleta which
can parse cookies.
In WinXP\2K data will be found under the users folder under documents
and settings.
\Cookies\index.dat is the audit trail for all cookies installed on the
system in the users context.
\local settings\history\history.IE5\index.dat is the browser history
for the last calendar day
\local settings\history\history.IE5\MSHistXXXXXXXXX\index.dat is where
the daily history rolls over to as each day passes
\local settings\temporary internet files\content.IE5\index.dat is where
the information for the location of supporting files such as images
etc. is held - look here to try to reconstruct web pages.
\userdata\index.dat keeps information on automatic accesses to the
internet such as automatic updates.
In earlier versions it is best found by searching for all the index.dat
files.
IE History:
In order to make the history function work windows has to keep this
data somewhere. Under the History.IE5 folder you will find several
folders with names such as:-
MSHist012004010120040107
If you remove the MSHistXX what remains is two dates that corresponding
to one week periods prior to todays date. In each of these folders is
an index.dat file that can be analyzed with Pasco.
Pasco's output on a History file would consist of:-
TYPE: the type of request made - this will usually be URL for GET
request.
URL: the actual url requested
MODIFIED TIME: the time the page was loaded into history
ACCESS TIME: the time the history entry was last accessed.
FILENAME: this is used if redirection occurred and will show URL if a
url is requested
DIRECTORY: same as FILENAME but for directory - blank on a url request.
HTTP HEADERS: holds any headers such as form data for POST requests.
Blank for url requests.
Getting information from cookies:
Use Pasco on the index.dat file in the users \cookies folder to see the
details of all the cookies. Notice that the FILENAME parameter is now
displaying the name of the cookie. Sometimes you need to look more
deeply into a cookie. This is where Galleta comes in. Its output fields
are as follows:-
SITE: name and url of where the cookie came from.
VARIABLE: the name of the variable stored in the cookie.
VALUE: the value of the variable
CREATION TIME: the time the cookie was created - the time the web site
was visited.
EXPIRE TIME: when the cookies date expires. If a site retrieves a
"stale" cookie it will create a new one.
FLAGS: enumerates the flags set in the cookie - see RFC for more
information on cookie flags.
Recreation from the cache:
The process is the same here... Convert the index.dat into a readable
format, find the interesting entries and use the data to reconstruct
the pages.
From here the book goes deeply into PDA's and Cell Phoones using
proprietary software and then into the legal stuff which is long,
boring and not appropriate for this location.
Original Tutorial
Submitted by nokia for TheTAZZone-TAZForum
Originally posted on March 4th, 2006 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.