FOR500.5: Core Windows Forensics Part IV: Internet Browsers [FOR500_C01_01 ed.]

Citation preview

408/500.5

Core Windows Forensics IV: Internet Browsers

Copyright © 2017, The SANS Institute. All rights reserved. The entire contents of this publication are the property of the SANS Institute. PLEASE READ THE TERMS AND CONDITIONS OF THIS COURSEWARE LICENSE AGREEMENT (‘CLA”) CAREFULLY BEFORE USING ANY OF THE COURSEWARE ASSOCIATED WITH THE SANS COURSE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU (THE “USER”) AND THE SANS INSTITUTE FOR THE COURSEWARE. YOU AGREE THAT THIS AGREEMENT IS ENFORCEABLE LIKE ANY WRITTEN NEGOTIATED AGREEMENT SIGNED BY YOU. With the CLA, the SANS Institute hereby grants User a personal, non-exclusive license to use the Courseware subject to the terms of this agreement. Courseware includes all printed materials, including course books and lab workbooks, as well as any digital or other media, virtual machines, and/or data sets distributed by the SANS Institute to the User for use in the SANS class associated with the Courseware. User agrees that the CLA is the complete and exclusive statement of agreement between The SANS Institute and you and that this CLA supersedes any oral or written proposal, agreement or other communication relating to the subject matter of this CLA. BY ACCEPTING THIS COURSEWARE YOU AGREE TO BE BOUND BY THE TERMS Of THIS CLA. BY ACCEPTING THIS SOFTWARE, YOU AGREE THAT ANY BREACH Of THE TERMS OF THIS CLA MAY CAUSE IRREPARABLE HARM AND SIGNIFICANT INJURY TO THE SANS INSTITUTE, AND THAT THE SANS INSTITUTE MAY ENFORCE THESE PROVISIONS BY INJUNCTION (WITHOUT THE NECESSITY OF POSTING BOND), SPECIFIC PERFORMANCE, OR OTHER EQUITABLE RELIEF. If you do not agree, you may return the Courseware to the SANS Institute for a full refund, if applicable. User may not copy, reproduce, re-publish, distribute, display, modify or create derivative works based upon all or any portion of the Courseware, in any medium whether printed, electronic or otherwise, for any purpose, without the express prior written consent of the SANS Institute. Additionally, User may not sell, rent, lease, trade, or otherwise transfer the Courseware in any way, shape, or form without the express written consent of the SANS Institute. If any provision of this CLA is declared unenforceable in any jurisdiction, then such provision shall be deemed to be severable from this CLA and shall not affect the remainder thereof. An amendment or addendum to this CLA may accompany this courseware, SANS acknowledges that any and all sofiware and/or tools, graphics, images, tables, charts or graphs presented in this courseware are the sole property of their respective trademark/registered/copyright owners, including: to AirDrop, AirPort, AirPort Time Capsule, Apple, Apple Remote Desktop, Apple TV, App Nap, Back My Mac, Boot Camp, Cocoa, FaceTime, FileVault, Finder, FireWire, FireWire logo, iCal, iChat, iLife, iMac, iMessage, iPad, iPad Air, iPad Mini, iPhone, iPhoto, iPod, iPod classic, iPod shuffle, iPod nano, Air, iPod touch, iTunes, iTunes logo, iWork, Keychain, Keynote, Mac, Mac Logo, MacBook, MacBook Sin, Safari, Retina, Passbook, MacBook Pro, Macintosh, Mac OS, Mac Pro, Numbers, OS X, Pages, Spaces, Spotlight, There’s an app for that, Time Capsule, Time Machine, Touch ID, Xcode, Xserve, App Store, and iCloud are registered trademarks of Apple Inc. Governing Law: This Agreement shall be governed by the laws of the State of Maryland, USA. F0R50Q408_5C01_O1

PORSOO

WINDOWS FORENSIC ANALYSIS

Core ‘Windo’vs S%NDFIR Forensics IV:

O1LlIAC FflRENSlC E lNlDENT REPflNSE

Internet Browsers @2017 Rob Lee I All Rights Reserved I Version # FOR500 CO 101

Welcome to Core Windows Forensics. Rob Lee [email protected] Chad Tilbury [email protected] -

-

http://twitter.com/robtlee http://twitter.com/chadtilbury http://twitter.com/sansforensics

©2017 Rob Lee

1

fl r I fl

UrII

FOR4O

Windows Forensics

DlITAL FURENSlS

Advanced Incident Response

IN(lDtNI RESPflNXE

FORS/2

Advanced Network Forensics and Analysis CNFA I

I

FOR5$ Qp 73

Mac Forensics

Cyber Threat Intelligence

F0R6O

REM: Malware Analysis Memory SC5O4

Hacker Tools, Techniques, Exploits, and Incident Handling

/ IL j’

)

(

MGT53%

Incident Response Team Management

Advanced Smartphone Forensics

sansforecsks

@ sans1orenscs

dfrto/DFtRinkedInCommunity

Welcome to Core Windows Forensics. Rob Lee r1eesans.org Chad Tilbuiy ctilburysans.org USB Contributions by Nicole Ibrahim -

-

hftp://twitter.com/robtlee http://twifter.com/chadtilbury http://twitter.com/sansforensics

2

©2017 Rob Lee

dfirto/gpIussansforensics

dfirto/HAlLLlSI

©

CD CD

r

0 0

—1

NJ C

FQR4O$

@ sansforensics

Advanced Smartphone Forensics

FCRS8S

Memory Forensics In-Depth

FQRS2%

MacForensks

FORSIB

Windows Forensics

4

dfir.ro/gpIussansforensics

dfirto/DflRLinkedInCornrnunity

L

H S

ur r I

ADVERSARY HUNTING

—

H—

jul

-

nm—

INCIDENT

F0R572

Advanced Network Forensics and Analysis

n

sansforensics

IN

ni

OPERATING SYSTEM & DEVICE

DIRITA FORENSICS B INCIDENT RESPONSE

SS OFIR

F0R508

dfir.to/MAIL4IST

Incident Response Team Management

MGT%35

Hacker Tools, Techniques, Exploits, and Incident Handling

SECSO%

REM: Maiware Analysis

FOR6!O

Cyber Threat Intelligence

F0R578

Advanced Incident Response

i_DFIR OIIIA1 FURENSIGS ii IN1DENT RESPNSE

Before WeTeach the Final Section

Brief Intro to 50$ Advanced Incident Response

F0R500

OFIR This page intentionally left blank.

4

©2017 Rob Lee

I

Windows ForensicAnafysis

4

• APT: Advanced Persistent Threat

• Organized Crime: Card Data Theft • HacktMsts: Expect Them -

adversaries

respond

What You Should learn by the End of the Course Peal hiidt’nt Re P11t’ I actn [‘iiuelin ,11I(I Siiiat—I nic1inc AnahC. • Memory Analysis • EnteIl)rise Investigations \j t i It)Tefl IC I)eI Cel Ion arc I tecuon • IP Th.ft Deteetifm

-

Lethal Forens 1 cator

OFIR

FOR500

WI dows fore sic Analysis

Over the past 2 years, we have seen a dramatic increase in sophisticated attacks against organizations. Cyber attacks originating from China named the Advanced Persistent Threat (APT) have proved difficult to suppress. Financial attacks from Eastern Europe and Russia obtain credit card and financial data resulting in millions of dollars stolen. Commercial and Federal IT Security are battling multiple intrusions attributed to the Advanced Persistent Threat during the past several years. The adversary is good and getting better. Are we learning how to counter them? Yes, we are. Learn how. We have been busy updating the forensic and incident response courses at SANS to include the latest tactics at finding and defeating targeted attackers. The course where we have focused much of our efforts to train forensicators to deal with this threat is the “F0R508: Advanced Computer Forensic Analysis and Incident Response” course. Over the past year, we have continually added and updated key sections aimed at directly responding to advanced adversaries that organizations currently face. Is there malware on this machine? Ever been handed a hard drive and your task is to “Find Evil” but you don’t know where to start looking? In FOR5O$, there is a new section that deals solely with examining compromised systems looking for unknown malware. This process utilizes many of the skills a forensicator must have to simply “FIND EVIL” when they do not know where to look. Timeline Analysis and Super-Timeline Analysis: Annoyed you are doing this by hand in FOR500? We actually can create it automatically in FOR5O$. Critical to nearly any case, the past 2 years have seen a dramatic increase in the necessity of timeline analysis for incident response and digital forensics.

©2017 Rob Lee

5

at Having mastered artifact analysis in FOR500, students can appreciate automatically tracking system activity single a glance. Through examining the file system, Windows OS artifacts, and registry entries from a machine, an examiner can determine exactly what happened at any time. Memory analysis: Sorting throtigh network and active processes from a memory snapshot is a critical

skill during an intrusion case to find maiware and track adversary activity. Moving from malware identification during live response to recovering APT “command and control” channel data, memoty analysis is now critical during modern incident response situations.

Enterprise investigations: Investigators must utilize new techniques to not only investigate a single system, but also hundreds simultaneously. As a part of this class, we equip each student with FResponse Tactical, which allows each student to remotely examine a system without first having to image it. This increase in efficiency is needed to quickly scan systems during a large-scale breach. Imaging each system to perform forensics is now considered only in rare specific situations. This new addition changes the way you are currently responding to your breaches across your enterprise. F0R508 has been updated with the latest investigative techniques to help arm you with the correct knowledge “F0R508: to counter advanced adversaries, Our cyber enemies are growing in knowledge and sophistication. to counter tactics and tools Advanced Computer Forensic Analysis and incident Response” arms you with the them.

6

©2017 Rob Lee

H

229 r

ro

v t

-,

n t

e ,rk b

a orr’ d

33%

6’/o

ri on

L

DHR

FOR500

Wit dows FarensicAnilyis

7

FACT: Most organizations cannot detect intrusions. This is startling considering that our adversaries are increasing their attacks against our systems. In multiple reports, between 2011 and 2014, it has been detailed that organizations cannot detect the intrusions themselves. They find out about the intrusion through third-party notification. In many cases, the attacks are detailed to the victims through law enforcement channels. •

64%: Percentage of victim organizations that took more than 90 days to detect the intrusion. (Trustwave Global Security Report) 66%: 66% of breaches remained undiscovered for months or more (Verizon Data Breach Report). 229 days: “Median number of days that the attackers were present on a victim network before detection” (Mandiant M-Trends). Longest Presence: 2,287 days until detected.

To give yoti a good perspective on the problem, I highly encourage each attendee to read the three reports cited next.[’L [21, [3] Each has a slightly different perspective, but you can realize the extent of the challenge. This course is aimed to help organizations increase their capabilities to detect and respond to intrusions by teaching you the tools and techniques that are critical to overcoming the problem outlined here. We will not be winning the battle in cyberspace until most organizations (above 50%) can detect their own intrusions. With the millions being poured into cyber detection methods, you would think these numbers would be something from 1 999. However, the reality is that our adversaries are good. We aren’t. This course is designed to make you and your organization much, much better. References

[1] Trustwave: Global Security Report: hnps://www.trustwave.com/global-security-report [2] Verizon Data Breach Report: http://www.verizonenterprise.com/DBIRI [3] Mandiant M-Trends: www.mandiant.com http://www.mandiant.com/resources!m-trends/ -

©2017 Rob Lee

7

I\

Ii

S

S

N

0 N

E

0

0

0 C

qW

0

G) 0 -J -Q 0

N

©

C

I\4andiant M-Trenus Report 1

DRR

FORSOO I W Jow Forenst Ana ysis

According to Mandiant and other sources, malware might not be present on every system. The “2012 M-Trends Report” details this fact very well in discussing that maiware traces might be left on a machine, but the existence of malware on each system is not guaranteed. Some of the examples that Mandiant uses are listed in the slide. What is useful here is how it determined how the systems were compromised in the end. It had to use traditional forensic techniques to uncover the existence of the compromise.[l Some of the methods that are used to uncover compromised machines are found detailed in both FOR500 and f0R508 combined. Notice the items in blue on the slide are not covered in 50$, whereas the others are. To detect intrusions, you need skills from both classes. Reference [1] Mandiant M-Trends: www.mandiant.com

©2017 Rob Lee

9

:

7

f

5jC

7

SCCISSSCC

A:’r

5C%

I

S S

7

75

V

SC

7

cC

7 7

7SS

S

55

SCF75V

7 7$

;C7%

C S.

7

S••577

5$j7,

7

I

I,

—

V

55575

$7

77

$

Ll 11

kbw Pnw

7

1

CC

5$

$757577

-J

C

F

C

©

C

• It is a tool to accomplish deep forensic analysis • You have to learn it like you do any tool • Powerful command-line capability • Memory Analysis • Timeline Analysis • file System Analysis And more

DFIR

F0R500 I Windows Forensic Analysis

An international team of forensics experts, led by SANS Faculty Fellow Rob Lee, created the SANS Investigative forensic Toolkit (SIFT) Workstation and made it available to the whole community as a public service. The free SIFT toolkit, which can match any modern forensic tool suite, is also featured in SANS’ “Advanced Computer forensic Analysis and Incident Response” course (FOR 50$). It demonstrates that advanced investigations and responding to intrusions can be accomplished using cuffing-edge open-source tools that are freely available and frequently updated. The SIFT Workstation is a VMware appliance, preconfigured with the necessary tools to perform detailed digital forensic examination in a variety of settings, It is compatible with Expert Witness format (E01), Advanced Forensic format (AFF), and raw (dd) evidence formats. The new version has been completely rebuilt on an Ubuntu base with many new capabilities and tools such as log2timeline that provides a timeline that can be of enormous value to investigators.

©2017 Rob Lee

11

11

Includes: • • • • • • -

• • • • •

The Sleuth Kit (File System Analysis Tools) log2timeline (Timeline Generation Tool) ssdeep and md5deep (Hashing Tools) foremost/Scalpel (File Carving) Wire$hark (Network Forensics) Vinetto (thumbs.db Examination) Pasco tIE Web History Examination) Rifiuti (Recycle Bin Examination) Volatility Framework (Memory Analysis) DFLabs PTK (GUI Front-End for Sleuthkit) Autopsy (GUI Front-End for Sleuthkit) PyFLAG (GUI Log/Disk Examination) FOR500

flfffi

J

Windows Forensic Analysis

pre-installed on the SIFT All the programs you use in class to analyze Windows and UNIX systems are included having you to install a without exercises upcoming Forensic Workstation. This enables you to be ready for the bunch of tools on your system.

12

©2017 Rob Lee

‘

508 is actually Part 2 of the 500 class 44

We recommend taking o8 after you certify in too; minimum 3 months =

,

:

:

:

:

j

:

:

:

:

:

:

44

DFIR

FOR500

i

Windows Forensic AnJysis

i3

This page intentionally left blank.

©2017 Rob Lee

13

r

I

C

L C

This page intentionally left blank.

C C

f

C

14

©2017 Rob Lee

lSDFIR QllTAL FORENSICS

INCIDENT REPUNSE

Internet Browser Forensics

DFIR

FOR500

Windows ftrensi Analysis

This page intentionally left blank.

©2017 Rob Lee

15

w

e.

.

-

ONIAVEI iNiiENTS.

ONE BYTE ATATIME.

DFIR

FOR%OO

J

Windows ForenskAnalysis

Browser forensics is a critical skill because it can provide an overwhelming amount of information to the investigator. Accessing the Internet is one of the most frequent user activities, and browsers are the key portal used to facilitate that access. In some cases, such as employee misuse, Internet activity alone may provide the key pieces of evidence. In other cases, Internet activity may not be the focus but can provide valuable corroborating evidence. A frequent example is reviewing the history for local file access or the browsing of network shares during a computer intrusion investigation. This section covers the range of information you can expect to find when conducting browser forensics. It focuses on the three dominant browsers on the market: Internet Explorer, Mozilla Firefox, and Google Chrome. First, we discuss the concepts using Internet Explorer and Edge as a model and then extend those ideas to examine browser artifacts left by firefox and Chrome.

16

©2017 Rob Lee

I6

the user ‘visit? how many times

A ‘

4

sa$tc!iite%? visited? tbs th

A

/ c

4

is

Uache

• Flistorv History ,) Cookies

Cookies

4

) Cache>

irs>

‘Bookmarks \ Download folder

searching for?

) eookA

ahe

>> Cache> •ito- mpkW

Auto-Cornp1ete > Cache >

DFIR

FORSO

W dows Frens Ana1ys s

During any forensic analysis, investigators should always strive to identifS’ what a piece of trace evidence is and how it relates to the fttndamental questions that they want to answer. Like other applications we investigate, internet browsers store a large amount of user data, which we call artifacts. Although many different browser artifacts exist, three, in particular, provide the foundation of most browser evidence: •

History Files

•

Browser Cache Cookies

Evidence from these locations goes a long way toward helping the investigator profile a user: determining what sites were visited, how often, at what times, and what kinds of activities were performed on that site. Although these three artifacts are invaluable, you need to be aware that there are ancillary locations that can greatly help us corroborate evidence and fill in the picture of what happened on a computer system. Items such as bookmarks can show knowledge and intent of the user who chose to save them. The download folder and temporary directories often house long forgotten downloads that could be relevant. And auto-complete information, although not always easy to get to, can provide excellent information on form data entered, search terms, and usemames utilized. History and cache files are also the items most often cleared by users, so in some cases, the “ancillary” artifact locations will be the only ones available to aid your investigation.

©2017 Rob Lee

17

• Used to view a variety of web content: Text Images

File servers Dla fee Is

‘Video Code

• M’my different browsers exist: Internet Explorer

Firtiox

Safa:i

(nroinr

Cl rome, Firifox, ‘1

1

d IE d minati FQR500

DHR

I

Windows ForensicAnalysis

An Internet browser is a piece of software that enables users to interact with web pages or web content. Originally, this was text pages coded using Hyper-Text Markup Language (HTML), but the ubiquity of the web has added a vast array of items that web browsers are now used to view. Videos and images are commonplace, and programming code such as JavaScript and Adobe Flash are adding increasing functionality to websites. Browsers are now used as web-based e-mail clients, RSS feed readers, to transfer files and to view offline content. Given all these activities, it should come as no surprise that browser artifacts give an investigator an excellent window into how a computer system is used. Although the first two “browser wars” are over, the world is growing increasingly dependent on the web, and many different organizations are competing for a piece of the browser marketJ’1 Internet Explorer and Mozilla Firefox have long vied for dominance, but Google Chrome has recently overtaken them as the frontrunner. The rapid adoption of Apple iPhones and Mac systems has only slightly improved Safari’s market share.[21 References [I] http://en.wikipedia.org/wiki/Browserwars [21 http://gs.statcounter.com

18

©2017 Rob Lee

‘

DFIR

FORSOO l Win lows Forensic MaNsis

“

This page intentionally left blank.

©2017 Rob Lee

19

1E6/1E7 • Only encountered on out-of-date systems 1E8 o

Released in 2009; default for Windows 7

1E9 • Released in

2011

as browser wars heat up (again)

IEio • Available in 2012; default browser in Windows $

lEn • Available in late 2013 with release of Windows 8.i

Versions Prior to IEio Share Core Artifacts and Locations FORSOO Windows forenscAna1ysis flFtR Internet Explorer is still a relevant web browser due to its tight coupling with the Windows operating system. It once controlled more than 95% of the browser market. It has gone throttgh many iterations, but where and how it stores its browser artifacts has largely remained unchanged through Internet Explorer 5 to 9. This is a great boon to investigators because the forensic methodology to analyze these browsers remains virtually unchanged. The one caveat to this is that Microsoft radically changed the folder structure and thus the artifact locations in its Vista!Win7 release. These new locations are addressed in a slide later in the course. Investigators are most likely to see the following IE versions installed on modem computer systems: 1E6: Released in 2001 and fotind on Windows 2000 and Windows XP systems. In 2007, 1E6 still had a 35% market share, but this has dropped dramatically since the 1E7 upgrade was released by Microsoft as part of an auto-update for XP, Vista, and Server 2003 in early 2008. (1E7 will not run on Windows 2000.) • 1E7: Released in 2006 and now the most commonly found browser on Windows machines. If an XP machine is up-to-date with its patches, it will likely be running 1E7. 1E7 was released as the default browser in Vista. • 1E8: Released in early 2009 and set to be the default browser for Windows 7. Adoption has been slow, but improved security features may encourage users to upgrade quickly. • If 9: Released in March 2011 without a corresponding Windows release. A significant update released to stave off market share loss to Chrome and Firefox. • if 10: Default browser on Windows 8. lElO is the first Internet Explorer release to deviate from the standard artifacts. Most notable, index.dat databases appear to be largely deprecated in favor of other .dat files, Research is currently being conducted on these new artifacts, IEI 1: Default browser in Windows 8.1. Similar artifacts to 1EIO, but some file system changes have occurred.

20

©2017 Rob Lee

ZO

I

Metadata Stored jn Index.dat Files History\Lor\History 1E5

-

---—------———

—-—‘-—

-

-—

---

Temporary Internet Files\Low\ContentlE5

Cookies\Lo#

This slide is a cheat sheet for browser artifact locations for IE prior to lElO running on Microsoft Win7 operating systems. Browser artifact files come in two primary flavors: metadata and storage files. Metadata records information like what URL a cached file or cookie is associated with, when access to the URL occurred, and how many times artifacts have been used. Storage areas are used to hold the actual files downloaded for the cache or the cookies stored by a website. Prior to lEl 0, lndex.dat files were used extensively to store metadata for the browser history, cache, cookies, and download history. These Index.dat database files are found in the same locations as the storage files they describe. With the release of Vista!Win7, Microsoft significantly changed the folder structure and mechanisms used by the operating system for user profiles. One of these changes was to make roaming profiles more explicit. Roaming profiles allow users to log on to other systems in the domain and have their profile information follow them, They have been around for many years, and in Vista/Win7, Microsoft decided to make what follows a user, and what doesn’t follow a user, much more explicit. Hence, within a user profile in Win7+, there are now two different sets of folders: Roaming and Local. For our purposes, we want to determine where our browser artifacts will be located in this new file structure. Traditionally, Microsoft has included cookies in a roaming profile and excluded cache and history files by default. Thus, cookies are now found under the Roaming folder, and history and cache can be fotand within the Local folder. Similar to the steps required in XP, to see the Local and Roaming folders, users need to enable the Show hidden files and folders option and disable the Hide protected operating system files option within Folder and Search Options in the Control Panel. The second major change within Win7+ that affects us when performing browser forensics is the newly implemented Protected Mode.[l] This was built as part of Microsoft’s recent commitments to improving the security of the operating system and basically walls off most web browsing activities as if they were conducted by an unprivileged user.

©2017 Rob Lee

21

The idea is that if malicious code is run in the browser, it will not have the necessary privileges to cause harm to the operating system. Because not all activities using the browser will be unprivileged, a duplicate set of directories were necessary to store files from unprivileged use, called low folders. Even the Temp directory (not shown on the slide) has two locations (an unprivileged, or low folder, and the standard folder). An example of what this looks like in the file system is: %USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History. 1E5 (for

Low Integrity IE history files) This means that when conducting an investigation within Win7, it will be necessary to look in two distinct areas: the standard locations (medium and above permissions) as well as the low (low pennissions) folders. 1E7* has been updated to support Protected Mode when run on Win7 f machines. Most of our user Internet browser artifacts should be found in the low folders, but as we see with many things within Windows, artifacts are sometimes inexplicably stored in the standard folders, so both should be analyzed for completeness. There are also a couple of notable exceptions:

• • •

Local file usage is stored in the standard history folder (because it is not performed with restricted permissions). If Protected Mode is turned off, low folders will not be utilized. If User Access Control (UAC) is turned off, low folders will not be utilized. (It is required for Protected Mode to operate.) If the instance of IE is run with Administrator permissions, the low folders are also not used.

Before Vista, the primary locations for browser artifacts remained largely unchanged for the last 10 years. This is evidenced even in the folder names, with their references to lE5. The artifact locations for WinXP are as follows: History Files: %USERPROFILE%\Local Settings\History\History. 1E5 Cache: %USERPROFILE%\Local Settings\Temporary Internet Files\Content.1E5

Cookies: %USERPROFILE%\Cookies Bookmarks: %USERPROFILE%\Favorites

Reference [I] http://msdn.microsofi.com/en-us!libraryfbb250462.aspx

22

©2017 Rob Lee

Download History

-

C 00 ies

r ac1ke

H-ISOflf

!

•

•

•

•

%usERPaoFILE%\Appnata\Roing\Microsoft\windows\ IEDownloadHistory\

%USERPROFILE%\AppData\Roaming\Microsoft\Windows \ cookies %USERPROFILE % \AppData\Roaming\Microsof t\Windows \ Cookies\Low

Temporary Internet Files\Content.1E5 %USERPROFflE %\AppData\tocal\Microsoft\Windows \ Temporary Internet Files\Low\Content.1E5

• %USERPROFILE % \AppData\Local \Microsof t\Windows \

• %USERPROFILE%\AppData\Local\Microsoft\Windows\ History\History.1E5 e%USERPROFILE%\AppData\Lacal\Microsoft\Windows \ His tory\Low\History 12%

‘1$,

Metadata Stored in Indexdat Files

\AppData\Local \_crosoft\Indows\WebCaahe\ WebCacheV*.dat

I

:

• %USERPROFII1E%\AppData\Local\Microsoft\Windows\ Temporary Internet File s\Content. 1E5

%USERPROFILE%\AppData\Local\Microsoft\Windows\

b’O

Temporary Internet Files\Low\Content.I5

(

C Cl)

r.%U$ERPRQFILE% \AppData\Roaming\Microsoft\Windows’ \Cookies I • %USERPROFILE%\AppData\Roaming\Mierosoft\Windows \Cookies\Low

I

FQRSOO

OFIR

Windows Forensic Analysis

It wasn’t until Internet Explorer version 10 that some of the long-held conventions of IE artifacts were broken. Instead of a plethora of Index.dat files scattered throughout the various IE folders, metadata was consolidated into * a single database named WebCacheV* dat (the represents that there can be different numbers used for the database name such as WebCacheV0 1 dat). A new folder was also created to store this database: .

.

%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\

In IEIO, the locations for stored files remained the same as in previous versions of IE. For example, notice that

cached files are still stored in the Content. 1E5 folder. Perhaps the only major change from previous versions is that IEI 0+ is more rigorous with its use of the low integrity folders first introduced in Windows Vista.

24

©2017 Rob Lee

N) 01

CD CD

r

0 0

C

0 M

4J

0

0 0,

a

w

ft ft 0 ft

a

I 4.

i • %USERPROFILE% \AppData\Roaming\Microsoft\Windows \ Cookies • %USERPROFILE% \AppData\Roaming\Microsoft\Windows \ Cookies\Low

%USERPROFILE%\AppData\Local\Microsoft\Windows\ Temporary Internet Files\Content. 1E5 • %USERPROFILE%\Appflata\Local\Microsoft\Windows\ Temporary Internet flles\Low\Content IES

%tJSERPROFILE%\AppData\Local\Microsoft\Windaws\ INetCache\IE %USERPROFILE%\AppData\Local\Microsoft\Windows\ INetCache\Low\IE

I

• %USERPROFILE%\Appoata\Roandng\Microsoft\Windows \INetCookies • %USERPROFILE%\AppData\Roaming\Microsoft\Windows \iNetCookies\Low

DFIR

FOR500

I

Windows Forensic Analysis

Just when we thought the Internet Explorer developers had settled down, IE1 1 was released and made further *.dat database file is changes. Thankfully, from a metadata perspective, there were no changes. The WebCacheV still the keeper of all metadata information for IE. The major changes that occurred in IEI I were in the data storage locations. Both cache and cookie files were moved into different folders (INetCache and lNetCookies respectively). Cookies had an additional change by being moved under the Local folder. (It was previously kept in the Roaming folder.) This is a good lesson for those of us who have been doing forensics for a while; you can never sit back and rely on your previous

knowledge. If yoti do not keep upto-date with the frequent changes to the operating system and application artifacts, you may fall victim to making incorrect assumptions such as, “There were no Internet Explorer cache or cookies files found on the system.” To make matters worse, browser forensics often greatly lags behind the state of the art, and our tools often break with the latest browser versions.

26

©2017 Rob Lee

— U) o

— U)

UI

‘e

‘C

0

0 ‘0

0 t

itt

itt

‘H

‘H

—

o

— Ø 44 0

4.) 44

4.) 44

o

0

U)

0

o ‘H

o ‘H

U) 0 $4 U ‘H

—

0

4J

44 U)

0

U)

$4

$4 U

$4

v-I ft U

II

ri

ft U

o

ii — ft 4.) ft ci

0

— ft 4) ft ci

ft 4H ftt11

4

— *

——

fl

rzlrznzbo

0

z

v-I

ft U 0

“4

ft 4) ft ci

0

r4— tim tim H HG) fr’H

4H4,.4 H.-’ H.-” t4ØfZ4Ø

o:os 00

OM

Ut)

040 c)

0000

00 00

4fUø4lt

•

1 4

0)

I

I

ab2Jos ©2017 Rob Lee

27

Excellent for profiling Internet usage! • Records websites visited by date and time: • Details stored for each local user account • Records number of times visited (frequency) • Also, tracks access of local system files

• Used by browser for auto-complete Stored in multiple Index. dat records (1E4-1E9) or in WebCacheV* dat file (IEio+) • Registry determines time span of records kept: SOFTWARE \Microsoft\Windows \CurrentVersion\ Internet Settings\URL

History

• Trivial for user to clear/manipulate FOR500

OFIR

—

Windows ForencicAnalysis

Internet Explorer history can be a spectacular benefit to the forensic investigator. IE neatly tracks all the websites is visited during the entire time span it has been requested to do so. The default number of days to record the history registry. -> Windows the or via Options) Internet (Tools 20 days, and this value can be changed within the browser Should a user choose the “0 days” option (essentially turning the history feature off); a history is still kept while the user is logged in but is deleted upon system shutdown or upon carryover to the next day. If no activity is accomplished on a given day, no daily history file is created. The history time span is stored in the DaysToKeep value within this registry key: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\URL History History information can tell an investigator:

•

What sites have been visited in the last X days (X being the number of days the history is set to record) What files were accessed on the system in the last X days

•

Flow many times each site was visited (frequency information) The user account that was used to visit the site (history’ information is stored within a user’s profile)

•

The specific time the site was last accessed

0+. * This information is stored in a database file named Index. dat in 1E4-1E9, or WebCacheV dat in lEl primary Its investigator. the benefit Like most trace evidence in Windows, this feature was not created just to purpose is to query the website history to suggest websites on the URL bar of the browser while the user is typing (to save the user from having to type the entire address of frequently visited sites). Users can clear their history through the browser or by deleting individual history files in the hidden “History” directory. .

28

©2017 Rob Lee

26

For Review: IE 4-9 Index.dat Databases

Traditionally, to understand browser residue within the Internet Explorer application, it was critical to understand the index. dat database format. This format was used extensively in IE versions 4—9 and hence was in place for more than 10 years. It was used exclusively by the three most important browser artifacts: history, cache, and cookies. Although all index.dat usage was replaced with IEI 0, investigators are still likely to run into them on older systems that have not been recently updated. lndex.dat files are stored in binary form, meaning that special tools are required to decode their contents. This also means that basic text searches run on a forensic image may not identify relevant hits within these files. Although the name index.dat is used by history, cache, cookie, and download history databases, the files themselves store different information, reflecting the different artifacts they are responsible for. Most forensic stiites have viewers that decode the files, and many open-sotirce tools exist as well. It is common to have to review a large number of index.dat files on a system, particularly if there are multiple user accounts and there has been a lot of Internet usage. Most will be related to user activity, but some will be located in the default and userdata directories, reflecting system usage. It is also possible to find old index. dat entries in unallocated space. The directories used to store index dat files may be hidden, system-level directories, such as History. 1E5 and Content. 1E5, which cannot be viewed from the Windows graphical user interface. Forensic suites or the command line can be used to export/review these files. .

A great advantage to the investigator is that it is quite difficult for a user to remove index. dat files. The web abounds with questions from users asking how to delete these files. Because they are used by the Windows operating system as well as by the browser, they are “locked” on boot and thus cannot be removed using traditional means. However, tools within the 1E browser itself can clear entries within the files. IE History and Index.Dat

in older versions of IE, history information is stored in a folder named History. 1E5. It holds a series of subdirectories named according to the following convention: M$HISTO1 For example, MSHist012O131205201312O6 equates to the history folder for records from December 5, 2013, to December 6,2013. The graphic below shows the folder layout with two “daily” history folders and two “weekly” history folders. Daily history content is rolled up to the weekly folders after the sixth day. When this rollup occurs, the index dat files in those directories are updated accordingly. .

In 1E4-1E9, each history folder has its own index. dat file, which is a binary database containing all of the history records for that period. A “master” index. dat file is present in the parent History. 1E5 directory and contains most of the history records present in each directory. However, replication is not perfect and for a comprehensive review, it is important to review all the index. dat files present in the various directories becatise sometimes daily or weekly entries do not get propagated to the master index. dat file.

©2017 Rob Lee

29

Virtual file listing showing human readable folders

Lnde —

—

—-

L_

MSHistO1Ii%O1%fl%%

MSHistOl%Oi%fl%%%013113O MSHistOl%O1%1%0320131%04 M$HistOl%0131%O%%0131%O%

Weekly Index4at for: November 16, 2013November 23, 2013 Daily Indexdat for: December 5, 2013

The history folders used by older versions of Internet Explorer are still present even though they are unused in the * latest versions of the browser. In fact, you will still see them referenced within the WebCacheV dat file, likely for backward compatibility purposes. ,

When viewing these folders via the Windows Explorer GUI, you see a History folder, which does not actually exist and is only a virtual directory. Windows parses the information stored in the IE database to create an easy to review, virtual set of directories encompassing the days, weeks, and sometimes months of history records. The virtualized directories “Today,” “Friday,” “Last Week,” and so on do not exist on the disk and are populated from actual directories with names such as MSHistO12O1312O52O1312O6. The image below shows the Windows Explorer GUI contrasted with the same view from the command line. For the former (image on the left), the history directories within History. 1E5 are parsed by the operating system and displayed in a series of user-friendly virtual directories, starting with Today and continuing on to previous days and weeks of activity. No MSHIST*, container dat, or index. dat files or folders are shown within the GUI interface, Interestingly, a knowledgeable user can go into this virtual directory structure and selectively delete history entries, which are subsequently cleared from the IE history. .

Viewing the History. 1E5 directory and its child directories cannot be accomplished ia Windows Explorer (on the a live machine). Instead, the investigator must use the dir /a command from the command line to force all disk, on exists files and directories to display. The Command Prompt image shows the history information as it These are the folders you should expect to see when doing an analysis of a forensic image. Notice that this listing has been taken from a system running lEl 0+. Index. dat files (1E4-1E9) have been replaced with zero byte container. dat files, which are now placeholders for the history data that is actually stored in the WebCacheV* dat file. In fact, these folders likely exist only for backward compatibility because no data is actually stored within them. The desktop. mi file maintains the folder options, namely hiding these directories .

from the user.

30

©2017 Rob Lee

Wmdcv

i

1024 1033 .%ppCach Burn Explorer GameExplorer ‘

History 3 Weeks Ago ZweeksAgt’ Last Week Monday

Directory of C:\Users\chad\AppData\Loc1\Microsoft\Windows\History\ History. 1E5 12/05/2013 12/05/2013 03/17/2013 03/17/2013 11/17/2013 11/25/2013 12/02/2013 12/02/2013 12/03/2012 12/04/2013 12/05/2013

Tuesday

10:09 AM

10:09 AM

07:05 PM 0 containerdat 02:08 PM 145 desktop, mi 03:57 PM

MSHistOl%013111120131118 10:34 AM

MSHistOl%013111$%0131125 10:24 AM

MSHist0l%01311%520131%02 10:24 AM

MSHist0l20l2I%0%20131%03 06:5% AM

MSHist0120131203%0131%04 07:07 AM

MSHistOl2Ol3l%04%0131%05 10:09 AM

MSHist0l%0131%05%0131%06 2 File(s) 145 bytes 9 Dir(s) 17226%076,416 bytes free

Wedresthf Teda

History Index.dat Timestamps Timestamps used by the 1E5-1E9 history index. dat files can be conftising and could potentially lead to false assumptions being made. The index. dat file structure maintains two timestamps for each entry. As we now know, a given collection of history files will consist of multiple index. dat files. We have the master index. dat located in the History. 1E5 directory, and an index. dat file for each of the daily and weekly directories. For whatever reason, Microsoft has allowed history tirnestamps to vary according to which index. dat file they are stored in. The table below shows how each type of index dat file displays time slightly differently. This is particularly important when trying to match up entries in a daily or weekly history (where time is kept in local machine time) with the master index. dat, which stores time exclusively in UTC time. The moral of the story here is to always know where your index. dat file came from before doing your analysis. .

Last Access (UTC)

Last Access (UTC)

Daily History Folder

Last Access (Local)

Last Access (UTC)

Weekly History Folder

Last Access (Local)

Indexdat creation time (UTC)

Additionally, keep in mind that if you are viewing history entries using the Windows Explorer GUI (on a live system), the time shown there will be the last access time in local machine time,

©2017 Rob Lee

31

• Most important file in IEio+

• Replaces index.dat files and stores data for nearly every IE artifact

• New format: Extensible Storage Engine (ESE) • File name varies: • WebCacheVoi.dat • WebCacheVi6.dat • WebCacheV24.dat

• Legacy folders still exist (Histoiy.1E5, ContentjE5)

• Containerdat files in these folders appear to be placeholders • Actual metadata is recorded in WebCacheV*.dat file FORSOO

Of IR

J

Windows Forensic Analysis

With the introduction of Internet Explorer 10, the lndex.dat files examiners have relied upon for a decade vanished, only to be replaced with a new “.dat” file: WebCacheV*.dat. The filename of this file varies (for reasons unknown), but its location is always within %U$ERPROFILE%\AppData\Local\Microsoft\Windows\Webcache. It consolidates a vast amount of data that was previously stored in multiple Index.dat files spread across the file system. You shoctid expect to find lE data from history, cache, cookies, DOMStore, download history, and even the ieflipahead cache. The database for this new artifact is based on the well-known and documented Extensible Storage Engine. This is the same database type as is used for Exchange as well as features like Windows Search. Robust, crash-resistant databases are used for datastores from 1MB to I T3.[’l Similar to what we saw when Firefox made the transition to a more reliable database (SQLite in F irefox v3), more data than ever is stored in this central storehouse for IE data. Do not be fooled by the existence of container.dat files present in familiar folders on systems running IF 10+, Although History.1E5, Temporary Internet Files, and Content,1E5 still exist, the metadata for this files have all been rolled into the WebCacheV*.dat file. We cover individual artifact usage of this database in upcoming sections. Reference {I] hftp://msdn.microsoft.com/en-us/library/gg269259(v=exchg. I 0).aspx

32

©2017 Rob Lee

Containerld

j Identifier for each table assigned to an IE artifact

LastAccessTirne

[Last update time for table fvpe of table ( “Histoiy”

Name Directory View

ta

Optiona

ii

cntanend

Tirari

Ltet

d.

1

•.

Name PM

1-

1 D’D.P I 1 wI -

c

I 3

la’2’ 2 Ct 2

1

IE Historv

Help

S,1

‘‘

-

Location of artifacts in the file system

j

Edit

File

—

Ce t r

rntent

(b er ConaI ippD I

ompat nip ma

I

I C t L Ap I.

M1er

Iber DonelitA

U

0

il

It ci It

.11

1

ind ewdc 1 rid

t a b P mpa

mpatua

‘i

ffirtoft Freeware. htipthcc,cw.nweoftnet

—i

OFIR

FORSOO

I

Windows Forensic Analysis

History information in IEIO+ is stored in an Extensible Storage Engine (ESE) instance named WebCacheV* dat. The ESE format is well known and there are several available parsers for it. One of the best free tools for parsing ESE databases is from NirSoft: ESEDatabaseView.[11 After opening the database, the first thing an examiner should know is that many artifacts store data within the WebCacheV* dat file. Data is separated into a series of tables, labeled as “containers” within ESEDatabaseView, To see a list of available containers, select the “Containers” object from the dropdown (shown with an arrow on the slide graphic). This will provide a listing of all available tables and associated metadata. .

.

Each container is referenced via a Containerld. In the example shown here, the History table is known as Containerld 4. The “Name” field indicates the type of data stored within each table. “LastAccessTime” indicates the last time the table was updated (sometimes the time column labels are misleading). The final column of importance within the Containers table is the “Directory” field. This provides a reference as to where (and what) the artifacts in a given table pertain to. In some cases, this information is largely legacy. As an example, lElO± history information is no longer stored in the “History\HistoryiE5” folder. Instead, all history information is contained within WebCacheV* dat. However when we discuss the cache, we will see that this is not the case, and the actually cached files will be located in the folder referenced within the “Directory” field. .

There are many more fields to the “Container” table than we have covered here. However, the fields identified on this slide are the only ones needed to navigate the database. Reference

[1] http://www.nirsofi.net/utils/esedatabaseview.html

©2017 Rob Lee

33

Containerid

i

Edit

View

=

Hdp

55, I4Cournrs3

i

Options

1

“I

I

Identifier for each table assigned to an IE artifact

LastAccessTime Last update time for table Type of table (“History” == IE History) Name Location of artifacts in the file system Directory Me

3w Containers rabe1D

1. 1

Directory Name

4’

LastAccersTime

1?.’

C/ Users\DonalthAppData\LocakMicrosoft’ Windows INetCache £ C:\Users\ DonalchAppData’ Local Microsoft’ Windows\ EcompatC ache C:’ .User&’Donald AppDataloca[ MicrosoftWindc:s/iecompatuaC ache ‘:/

10/22/2013 7:25:38 PM Content 1022:2013 10:10:M PM iecompat 10:23 2012 3:03:21 AM iecompatua

C2/sers’ Donald ApFDat&Lccaf Mrosoft\Windchs’VNetCcok:es’ C: Users\Don&cf AppData\Locaf Microsoft\Windows\NotificationC 8e5300f4

V

1 2 3

1012212013 9:4220 PM 10 22/20139:41:11 PM

Cookies wpn:dm

5 6

Containedd

Hr

a) a)

0

-J

0

C C’]

(0

ModifiedTiine AccessedTimc AeeessCount Url

I ‘irst access tinw object refri enc(’d in URL field Last access time object referenced in URL field Number of times URL visited Resource being accessed (website, file, or other object) Ga

ESDatbaeV.w.

—

ndo’Wd,CadeWW.

I

S55

Di;.

S

.1

.5r—.tf.;.’.

—

-

,

S

..---

—

.

4-’

——

.

_

—

—

-

.

.

—.

‘S

‘..t’

Din

FOR5O

Wrdewc Forensic.AnaIys

After a history table has been identified in the database, you can view the contents of that table by finding it in the drop-down located at the top of ESEDatabaseView (highlighted in the slide). In this example, we chose Container 4 and now have a table full of IE history information to examine. This is exactly the same type of information you would have seen in the Index. dat files used by previous versions of Internet Explorer. Although the table has many columns of information, focus on the following:

•

ModifiedTime: Provides the first time a given object was accessed, AccessedTime: The last time a given object was accessed.

•

AccessCount: This value tracks the number of times the object in the Url field has been accessed. (**)

Although sometimes useful, be aware that there have been inconsistencies identified with this artifact in most versions of Internet Explorer. ‘

•

Un: This is the resource being tracked. As you might expect, URLs of visited Internet sites will be present, but also keep in mind that JE is deeply embedded in the Windows operating system and hence tracks much more than jttst websites visited. In the slide, we see Web URLs, file access from the C:\ drive, SharePoint access, and even Microsoft Outlook activity.

References [I] http://blog.digital-detective.co.ukI2O I l/12/hit-counter-accuracy-caveat-emptor.html [2] http://www.nirsoft.net/utils/browsinghistoryview.html (see Known Limitations and Problems section)

©2017 Rob Lee

35

• L4

ni a

a

5,

0

a

-en —n

lip

—S —t

*

-s

Cal

az

r

m

I

a

a,

zr Ct C Cl,

5,5,

oB

V

d non fl CD Qorn

-J

Os

01 tL

cx3

23 5,

CD CD

4

nO Ii

a

CD lii

5

—

St

r

n\rro =en

to

0) cTu, Cl) CD

5,

-

-‘

CD — ooO

—

,

o

D

00)

5

fl

a on aa gz

m

‘S

S It

o S

5-

e

5,

36

©2017 Rob Lee

r

a

d

to

.,

C

sf t

rj

st 1. 1’ 22 ...

14

C5j

Each artifact may have multiple tables to account for “Low” integrity data, Windows 8 Modern Apps, etc.

‘it 13 341.10 Pt 13 41 ‘Ptt 17 1P

Hot r, Htor

tUI44fUt WUU4tM

Ht ecompat

26

10/23/2013 3:03:21 AM 10i21/2013 7:25:21 PM

tedowr4oad

I[E:

18 141

1021’20tS822PM 10 22/20134:29:03 PM

MSHst012013102i20131022 I MSHit3120i31022Oi31023j

::

108

1U21!2313 7:25:21 PM

UserData

‘‘

lfli2flI2

4

:29

ecompatua

7fi7’l PM

8/12/2013 12:24:35AM

M$Hist tables record data similar to legacy Index.dat files (used for backward compatibility)

OFIR

FORSOO

Wirdows Fore sicAr alysis

Although not surprising to veteran forensicators, it is important to note that there will often be multiple tables used to store data for each artifact. in this example, we see three History tables and two additional tables labeled MSHist. if you flip back to the IE Data Location slides, this may make more sense. The introduction of “protected mode” integrity levels in Windows 7 has created the need for different data stores. IE instances running at the Low integrity level do not have permission to write into files used by the Medium or High integrity levels. In addition, with the move to Windows 8, there are even different types of Internet Explorer applications: the desktop version and the “immersive” Windows $ Modem UI application. You may also encounter one or more MSHist tables. These appear to be in place for backward compatibility, apparently to populate tile virtual History folder on live systems, and history data does get stored within them. (Interestingly, data from both the desktop and Modem versions of IE gets recorded in MSHist tables.) You can determine what type of data each table is storing by referring to the Directory field (not shown here). History data does appear to be replicated between some of these tables, including from the Modem application to desktop IE and between the M$Hist files and tile desktop lE container. However, this replication does not appear to be perfect and hence it is currently necessary to review all applicable tables to ensure a comprehensive review.

©2017 Rob Lee

37

—

Contalnerid

S

S

Name

Lastkcces;bme

-t

2 3 26

4

—

DRS I 411

1

—4

-4

--4

1)0

.4

24cp

J

.cd

‘0

•1 t

1’t

1tti nit

nv

in

29 t

38

©2017 Rob Lee

I

• IE History also records local file access “Compute or ‘This PC’ in Windows Explorer • Does not mean file was opened ro ser Stored in database as: file: ///C: / J’:r-fce

f

_.

DHR

FORSOO

I

W r dows FLiensic Analysis

A little-known fact about the IE History is that the information stored in the history files is not just related to Internet browsing. The history also records local and remote (via network shares) file access, giving us an excellent means for determining which files and applications were accessed on the system, day by day! The remote file access can be particularly interesting because it can identify other volumes used for file storage such as removable media or network shares. In this example, four files were accessed by the user on December 3, 2013 (“Tuesday” as seen in Windows Explorer). Notice that within the Windows Explorer GUI, local file access is recorded under the virtual folder, Computer. Right-clicking the entry stored there will give the file path. Local file access is recorded in the index. dat file (1E4-1E9) or in the WebCacheV* .dat in lEl 0+, similar to Internet resources visited. The following is how these entries would look in the WebCacheVOl .dat file: Visited: sansforensics4O8@file:

I/IC:

/Program%2OFiles%20 (x86) /RecoverRS/RecoverRS .pdf

Visited: sansforensics4O8@file:///E:/LogFiles/Arehive—Security-2013-1O-2302-56-18--616 evtx .

It is important to note that seeing these entries in the database does not necessarily mean that the file was opened

within the IE browser. It simply indicates that the file was opened without giving any information as to what file viewer was used.

©2017 Rob Lee

39

p

pn

—

IF%

Ft

-A t/

Tua1

compu

Windows

4

N

1024 :;

Ii

Application Shocuts

Ii

Burn

I I:

Caches

j

GameExplorer

1

History

4

3 Weeks Ago

Ii

Last Week

-

1 H

Monday 4

Tuesday cnn (nw.cnncom)

N

Computer

H

tmsn tmsncom) ‘,

F1 4

wired (wmtwired.com

Wednesday

cnw

Wi

40

11H

ne:smsn (ney,s4msn4c

N N

1

Explorer

I

N

H cF::;.

103%

IIr

t-w1F WtFt

F*

02017 Rob Lee

I

up’

Visit Time 1

.

1..

.i

‘.

1

,.

r.htt. hdpi http: h11’skuccL -.

..

;m

htti:! ug.Nud.s :on •

fl

1

.l-’ju1. hc

In-fr.

.rnlCr

tr run di Jesnu1 1Vitet1nmfr. 1hInt.

in c lIe

1

..-t -Iun-Ju -Jenur

..1...

ir.

_t1

.

t

.

‘...

nd:

n

hr.

:

Vi 41.1

1’ 13

..

..t

.

t:Vi11 41.1

‘i

1’ijn..,

rsi f

.

Visit Count

:.

I

..

1

—.

1.

/

3.1

tJ_

111

11

.1efltt

1tts

I

rufte uSIa_.rc m Sc ‘•n.sa. 1 So htls: SlIlla 1nl_1cc:ftenSre. a Sc un: If; i—f htn’ SrJr.n;:tc.rfk nSn CCII -IC. c ncr

..

nfl ..

.,—..

.5

i-Vt ..;SJIeC

s.

:sJ

5 -h5

.

S

i.it

cignil sQala

I

(1.1

_

:E &rvr

.C..ct

‘Et %tnsn.

C

I

.

.,

•:‘‘.

:1

-

tm

cd

.11

r

‘,fI

r

-

ro.

P

-

1.

1

1? Vi’ 1

...

.

12 P lI12

.1’: .

41

P : 1.1 11: 41.1

12 1

1.1

tn

http: //www. nirsoft.net/utils/browsing_histoiy_view.htrnl FORSO I Wi.id,ws Furens A alysss D flJ Although it can be useful to peer inside of the WebCacheV*.dat database, it is not always necessary. NirSofi was perhaps the first to release a browser forensics tool capable of parsing the new format. BrowsingKistoryView parses lE4+, Firefox 3+, Chrome, and Safari, all in one package.[’] In this example, we have used it to parse the Donald account’s WebCacheVO.dat file. Although this tool will roll multiple ESE history tables into one simple view, be aware that it pulls data from only those tables named “History” and does not gather data from the MSHIST* legacy tables. This ordinarily isn’t a problem because those legacy tables should be replicated in the History tables, but if you have to be absolutely sure, it is always better to go to the source (hence why we learned how to parse the database). Notice that the example on this slide is of the same time period witnessed in the ESEDatabaseView slide. The data is different for two reasons. First, we see duplicates indicating that the same history entries were stored in multiple different tables. (BrowsingHistory View does not show the table the data was taken from.) Second, in the previous example, we saw data only from one table (Container 4). In this example we see contemporaneous events from multiple tables sorted together. This capability to pull data from multiple tables and display in one view is a big advantage of this tool. Reference [Ii http://www.nirsofi.net/utils/browsinghistoryview.html

©2017 Rob Lee

41

Mz

Is

r

E. (p

I

C

-,

a

-

a (p

ti.t

•

n t

t

I

11

Itt hi: E

ti

I ;t

r m

1

m

—

—

*

—

*1

•1

Ic

_3

N N

3

I

t

LI

rt

0 C rt

42

©2017 Rob Lee

DFIR

FORSOO I Wit dow ForenscAnaIysis

This page intentionally left blank.

©2017 Rob Lee

43

13

• The cache is a place where web page components can be stored locally to speed up subsequent visits • Gives the investigator a “snapshot in time” of what a user was looking at online: Identifies websites that were visited Provides the actual files the user viewed on a given website • Cached files are tied to a specific local user account • Timestamps show when the site was first saved and last viewed

• The cache is not a complete record of every page visited • Can contain a massive amount of data o

Default cache size

=

25

MB f0R500 I Windows ForensicAnalysis

DflR

The Internet cache works to speed up the web surfing experience. It takes advantage of the fact that items stored locally (that is, on the hard drive) load much faster than items that need to be retrieved from a remote location stich as a website. Thus behind the scenes, the web cache is constantly stockpiling content viewed in the web browser and archiving it for future use, Whenever a web request is made, the cache is first checked to see if a current version of that page or image exists, and if it does, it returns the locally cached version. It is particularly effective when the same sites and resources are requested frequently. For example, when you press the Back of button on your browser, yoti are almost always accessing the cached version of that previous page (instead One files. storing for cache the utilize also may applications Other thing). entire having to redownload the prominent example is Outlook Web Access, which stores opened attachments in the cache directory. The cache is an excellent tool for profiling user activity, particularly when used with browser history information. the The cache is tied to a user account, storing its files within the user’s profile folders. Because the cache stores what on information gather and site the on saw user the what reconstruct can actual page content, the investigator activities were taking place. For example, in the case of a web-based file backup solution, the history files would the tell us that the user accessed the site, and the cache files may provide us with the actual HTML pages listing filenames of items stored. In general, the larger the system volume, the more cached files we should expect to find. By default, 1E6 allocated 10% of the system drive to store cached files. 1E7 defaulted to 50MB of cache space up to a maximum of 250MB. l/256t1 of Starting with 1E9, the browser dynamically chooses the size of the cache according to drive size, using total disk capacity up to a maximum of 250MB. However, the IE cache is limited to tracking approximately 60,000 objects, meaning a user may reach the maximum number of objects before exhausting the storage capacity,1) Regardless, expect to find a large amount of data and to use metadata to help narrow your focus. Reference [IJ http://blogs.msdn.com/b/ie/archive/201 1/03/I 7/internet-explorer-9-network-performance-improvements.aspx

44

©2017 Rob Lee

44

The cache is dynamic and files are often swapped out via expiration or to make room for newer content. Thus, it cannot be treated as a complete record of every page visited or resource requested. In addition, part of the HTML standard allows sites to specify that their content should not be cached (no_cache_write option) Web applications such as Google Mail do so to provide an extra measure of security for users.11 Reference [1] hftp://msdn.microsofl.com/en-us/library/aa3 83928(VS.85).aspx

©2017 Rob Lee

45

lEli

IE54E10 Temnorarv Internet Files

II

IE

Content.1E5

-

L,tiH

t)JLlJPkt)

ASS4XIi. I(

DBO( T3SX

1TQ51J 15

H07B61)Q6

9BFFONTT

L7BUI)BFiNI

KISCK3 VX F

fl FII

5

“

‘/‘r. ws “o

I An. isis

The cache uses a series of folders to store its data on the local system. In Win7 and Win8, these folders are under the famed Temporary Internet Files folder, full path %USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files. This

folder has been in place since at least 1E5 and is the parent to several hidden folders that contain the actual cached content. Prior to II, the Content. 1E5 directory held an index. dat file, which provides the metadata for each cached file. In IE1 0 this file was replaced by the WebCacheV* dat file located elsewhere. A series of at least four directories sits below the Content. 1E5 directory. In systems with a lot of browser usage and/or large caches, the number of directories can be much more than four. These directories are named in a pseudo-random fashion for security and kept track of by the metadata database (Index.dat orWebCacheV* .dat). Each directory contains a part of the overall collection of cached files, Cached files are renamed by appending a .

bracketed number to their original name to ensure name collisions do not occur (that is, facebook icon [1] gif for the first saved copy of an image named facebookjcon). Any time a change is made to the cache files, the metadata cache files are updated accordingly. .

In Windows 8.1, another change to the cache was put in place. The Temporary Internet Files folder was replaced with a folder named INetCache, full path %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\. Similarly, the Content. 1E5 * folder was replaced with a folder simply named IE. The Windows 8,1+ cache uses the WebCacheV .dat file for metadata.

46

©2017 Rob Lee

Hidden I

I

:

I

rn

( C,,

Hidden I

I

rn +

©2017 Rob Lee

47

Filename/FileSize SecureDfrectory AccessCount URL 1

ASERC3TQ5Ut5FFCNTTk131%

Content

f34nme fotder[1 ]4pf

J

Name and size (in bytes) of cached file on disk Location of file within cache subdirectories Number of uses of cached content Origin of cached content

rs{1bxmt Th&21a1tDreyCcmpnhwetorRe.. tcao(i]cif

FeSze SecurDwctory AcceLount 3 3411 2333 52)

1 3 2 3

i0nite4___

4 14 1Th

I

Urt http ‘asgrd nturecaput sharpcntcorn/Jayouu 15

htt”!rnvctorsharhctct&comconimcrMeftAMD44J5E tAVrn0ftetJ

OFIR

FOR500

Windows Forensic Analysis

Starting with II, the cache metadata was moved to the WebCacheV* dat file within the .

%USERPROFILE%\AppData\Local\Microsoft\Windows\Webcache folder. This new database stores metadata for many artifacts, so we first need to identify which tables (containers) hold cache data. This can be done by reviewing the Name field within the Containers table. In the example on this slide, we see Containerld 1

is used to hold metadata for the C: \Users\Donald\AppData\Local\Microsoft\Windows\INetCache\IE cache folder. This is the default “Medium integrity” location for cached files in the desktop version of Windows 8.1 IE. Opening up the table shows the metadata stored for each cached file. There is much more metadata than we see on this slide (including timestamps), but the following information is important to determine if it is necessary to look further: •

Filename: Name of the file as it exists on the disk. Cached files are renamed by appending a bracketed

number to their original name to ensure name collisions do not occur (that is, facebook icon[l].gif for the first saved copy of an image named facebook icon).

•

FileSize: File size in bytes of the cached file on the disk.

•

SecureDirectory: This value is how IE tracks what cache folder the file is located in. Recall that the cache is made up of four or more pseudo-randomly named folders. These folders are not predictably named for security purposes; Windows does not want a website to predict where files will be stored locally. In the

Container table, each Content table will have data within the SecureDirectories field. This field concatenates all the cache folder names together. Because each cache folder will be eight characters, this cache shown in the slides has folders named ASS4XERC, 3TQ5UVI5, 93FFONTT, and KI 8CK3WX. The SecureDirectory field within the cache metadata table (Container 1 in this slide) identifies which of these folders holds the content. For instance, folder[1.gif is located in SecureDirectory #1, so it will be found on disk within cache folder ASS4XERC.

48

©2017 Rob Lee

48

•

AccessCount: The number of times the cached content has been used by the browser.

•

URL: Probably the most important field; identifies the origin of each cached content, including a full URL path. Sorting by this field provides an easy way to scan for relevant content.

Older IF Versions

Prior to lEl 0, the index. dat file was the brains behind the IE cache. Similar to what is now stored in WebCacheV* dat, it provides the metadata that allows us to make sense out of the seemingly random files stored by the browser. The first priority for the index. dat file is to track the caching structure so that it knows which directories are allocated and holding cached files. Every time a new directory is added to the cache, the index. dat file is updated. Similarly, the index. dat file is responsible for mapping the files stored in the cache with their original website locations. So if a browser request is made for the index page of www.cnn.com, the index.dat allows the cache to be quickly searched for any locally stored files pertaining to that page. .

The final role for the cache index. dat file is to store metadata for each entry. The following are stored for each cached file: •

Original URL address

•

filename and path of the cached file (that is, the cache directory it is located in) Type of cache record (URL, LEAK, REDR, and HASH)

•

•

URL is the most common type and indicates a cached entry triggered by a website visit. Most of the information relevant to an investigation will be gathered from this type of entry. LEAK is not documented by Microsoft, but it appears to be caused when IE fails to delete a cached file that is locked by the operating system. It indicates a valid visit to the recorded site.

•

REDR means an entry was created due to the website redirecting the original request to a different page or web server. This tends to be for informational purposes only; files are typically not cached as a result of a REDR entry.

•

HASH is an entry used to store a part of the hash index for the index.dat, allowing faster searching of the file. The bigger the index.dat is, the more HASH entries it will maintain. HTTP header: The return KTTP headers are stored as part of each entry’s metadata unless the entry did not originate via a web request. These are stored by the system so that when a request is fulfilled from the cache (meaning a local copy is used instead of the remote copy requested), the original headers can be provided to the browser along with the cached file to provide a seamless substitution. Headers can sometimes provide an investigator more information about what was returned from the web server request. Timestamps

©2017 Rob Lee

49

Name

V

Name and size (in bytes) of cached file on disk Location of file within cache sub-directories Number of uses of cached content Origin of cached content

-

zJLL•Z_Z

I

https:’ asgardventurecapitaLsharepcintcom jayouts’ 15 imaIJ httpuJappsshaceholder.com rss rssaspx?channels=4IS8&corI hftp:ffeedsJeedburner.com/The\’ aRDsne Companyinsesto! http rn’ etor shareVolder corn comnn alefte .J lDtJ5Bd

010

SecureDirectories

4 P4 175 5

10 J±1ftu1S1I

Directcrv

Jt.

ASS4(ERC3TQ5UV159BFFCNTTKISCK3WX

Help

I 3 2 2

!!rfei

CdeSe SecueD redoçAcceCnsrnt

JtnrfnIrr1rnrrrn001_IIIT0iJflIJr.

162,2% Columns]

Options

Content

Vie?; =

-

nrmmnrr ijinrin

JtLff1L:JL,:

C:\Users\Donald\AppDataVLocal\Mkrosoft




A final set of registry keys records what browser artifacts are being synced, and where they are being stored. This information is stored in: SOFTWARE\Microsoft\InternetExplorer\Capabilities\Roaming

Beneath this key are subkeys for “favoriteURLs” (bookmarks), TypedUris, TabRoaming, AutocompleteFormData, and Wininet (history information). Each subkey records: File system location (often using KnownfolderlD values) Registry location (if applicable) Relevant parameters (for example, the Wininet subkey identifies that history entries are prefixed with “Visited:”

©2017 Rob Lee

93

For example, notice the values stored for the Winlnet key showing where and what is recorded for synchronized history within IE. —

Registry Editor

I Favorites

File Edit

a

Help

FileAssociations ilMEAsscciations Roaming AutocompleteFormData DomainSugoestion FavonteUrls FhpAhead FormSuggest

‘‘

Name

Type

Data

iuefauft S>6jmtialApplyCo...

REGZ REu5Z

Knov;nFolderld

PEG 2

o’alue not set t> IImdowsSystems2usumiLexe lnitHistoiyRoamin; (DDC2A3B-BT24-432E.A72l5A112o

PEG D lPararnValue PEG SZ asse... ‘4>WindowG 4> Uuitef< REQSZ o

:

D..DD.e 0; lEFrameimmersiveWorkerWindowCbss Visited

StartPage TabbedBrowsing TabRoaming ThirdPartyCookies TrackingProtection TracbngProtectionExceptic TrackingPrctectioniists TypedURLs

vI: Ccmpute%HKEVJ.OCALJvIACHINRSOFTWARE\Mkrosoft\lntemet EVploreACapabilities\Roaming\Winlnet

Note that the KnownFolderlD shown represents %APPDATA%\Local\Microsoft\Windows\His (a virtual folder populated by data from the WebCachev*.dat database).

tory

Similarly, we can determine where synced TypedURLs information is stored for IE:

File a

_nfl

RegistryEdilor

I Edit

View

Favorites

Help

Capabihties FileAsscciations MlMEAssociations Roornng a MutocompleteFormData DomatnSgge tion Favontedrls FlipAhead

A

Type

Name

REGSZ REG D... no ParamValue REQSZ 4>UREsRegPath 4> URlsTimeReg PEQSZ > iindovtlasse,,, REv St

abgft OW

Data

(value not set) Ox.VCOUvOI (u Softvar&MicrcsofOlnternet Expiorer’.TvpedURLs Sortware\Micrc oft Interne Eplo>er T pedURL>Tnre lEFrameJmmersi>eSvorkerVsindovCIass

StaitPage TabbedBrowsing TabRoaming ThirdPartvCooket TrackingProtection TrackingProtecticnEvceptic TrackingProtectionLrsts TypedURLs >

a

4>

s Computer\HKEVjflCAL)AACHlNE\SOFTWARFMicrosoft\lnternet EploreñCapabilities\Roamin\TypedURL

94

©201 7 Rob Lee

(

Roaming AutoccmpieteFormData DomainSuggestion FavoriteUds FlipAhead FormSuggest FormSuggestAskUser FuliScreenAllowSites PcpupBlockerAllcwList • PrivacyAdvanced • SearchSuggestion • SeMcePoweredQSA StartPage • TabbedBrowsing TabRoaming ThirdPafty Cookies • TrackingPrctection TrackingProtectionExcep TrackrngProtectionLists TypedURis • Wininet A view ofthe SOflIThfl\Microsoft\InternetExplor.r\Capabilities\aoaming key.

02017 Rob Lee

95

A IThal example shows where synchromzed bookmarks are stored fiw Internet bxplorer.

a

7t’.

C,

-

1 it)

mr

r

.1

1

‘-

ter.

r

a

tht

P

Note that the Known FolderiD shown represents %USERPROFILE%\Favor±tes Yoti may notice a trend in here the synchronized mt’ormation is tored. For Internet Fxplorer all of the s nchronized artifacts are stor d in exactly the same place as regular IE artifacts created on the current system! This can present significant difficulties in determining what bookmarks TypedURks etc. originated locally versus were saved due to s nchromzation from a different devic We II co er mor on this in a later slide .

96

c2017 Rob Lee

0 0

—1

0

0

ii j’

I nr n

tar arr dea st: y’ oas’ rs ant :ped R_s am s rce arcs s S:d: ;s F macnrc that c tsr-- sccron’. 0 tF IFIF a o 0mw s OF ct r cper tah Leccept rr ;n”irate tmsr; tabsi r se se0 ncr i a a sc syrcecs For mcre in’c abcot sy nrVg mar &es r Wroc•ris C see Yynni ; F am m o Ocr;

-H:?

I’

-

‘

‘“‘

No

Only home rages Nes

ser-configu’ed sett’ngs’preferences 2assvoros

as

aas

T

tes/Bookmarcs

story and typeo URIs

00W

4

Yes

es

‘as

TMes

a icr aN p’eviO 5 0 cc ‘s 80 ; ac’;res :; aprea’ r F ‘-ec1 sites c:it ‘-a;t-e ace p’ at 0;r mc; s tes t”o the desk:cp taskbar dc’t ncr- ard re;tner oc me sites yc. F to Apps e r Oi td F Start srtec a’tr ;r;e:,at E:pio”er 4c” sOc c’eshtrr s dna sOc Tools Y c sO H:” O02 site to Sync Lecture Internet Explorer 10 on Windows 8 IEU on Windows 8,1

c

: r a: :r is’

Rooming

,

http:’/slatecomi

fwEahedu Shift

Enter

Ssteiti 2

http:Ji tecem http1f3drobohcscom

! MSkJ

http tiOtercom/ httos:!snard’entsecaptmyharepcintcorn

—

Enter

httpilsve corn1 httpll3drobotKecom/ http:tttercomF

V

MSN thall ferguson The Shtdcsn It a Sdesho Debt Is the Threat P1anethunhng Kepler telescope faces sencus problems Science

httpei asgardventusecapitabmy.sherepoaxLccnY MSN

JameAleeander Outlock Web App

i4 System 1

Shft

http: sIatecom

Sign rn to your M,crosoft account NaII Ferguson: The Shutdcl n s a Suteshow Debt Is the Threat

Add

Jame Alexander Outlook Web App

—>

Add

h f0R500

OFIR

J Windows ForensicAnalysis

This slide shows an example of how IE synchronization looks between two systems. It can be difficult to determine which history, favorites, or TypedURLs originated on a specific system (as opposed to which artifacts were copied over due to device synchronization).

98

©2017 Rob Lee

Co

Co

C

3-

-

-

I

-

a a a a

)TS CIII

)amie Alexander Outlook 1kb App Sing jAdd

Niall Ferguson: The Shutdoxn Is a Sideshow. Debt Is the Threat Planet-hunting Kepler telescope faces senous problems Science

MSN

Shift + Enter

fl

fl knbsfd bthsedwaj

https: asgardventurecapitaI-rnysharepo;ntcom

http:f/titter. coin!

http: !3droboticscorn

http:/ li\ acorn

http:, slate.ccrn

Shift

Sing

-

Jamie Alexander Outiook Web App

Add

-

V

Enter

NiaIl Ferguson: The Shutdown Is a Sideshow. Debt Is the Threat

Sign in to your Microsoft acccunt

MSN

https:!!asgardventurecapital-rny.sharepo:ntcorn

http:!/twiftercomf

http:ii3droboticscom!

hftp:!!live.ccrn

http://slate.com.

Systeii’1 2

MSN

G

Watch Metric Crpton cf Pep% 3et Batd Wth 5 Ca Weapon IC Fttunt Phrases And Tm ThatAe rcrnpuz 8uI1hit

G [I

%zmodo Tech B Design

MSN

FORSOO

flfI

Windows Forensic Analysis

Internet Explorer II added TabRoaming to its list of features, Now in addition to history, bookmarks, and TypedURLs, the entire contents of each browser tab will be copied to every other device being logged into with a user’s Microsoft account. If you ever wondered why Windows $ is so insistent about using a Microsoft account to log in with instead of a standard user account, device synchronization is one of the biggest reasons. To access roaming tabs from a live system, open a new tab and toward the bottom of the empty page will be a list of hostnames of systems that you have previously logged in to with your Microsoft account. Simply choose the device of interest, and you can see the contents of that browser as they last looked on that device. Of course, if we can do this on a live system, that information must be stored somewhere,.,

100

©2017 Rob Lee

to

G 0

‘I

G

‘V

‘

IL.

? IL

-

Gizmcdo Tech By Design MSN

Watch a Metric Crapton of Peeps Get Blasted With a %0 Cal Weapon 10 Futurist Phrases And Terms That Are Complete Bullshit

icr

MSN

ci

Frequent

,

vi

—j

I

1

When a Microsoft account logs in to a second device, fabRoaming is aciivated. WA 31 ata°,\ 4oea \1V Ic osoft\’ n er ;etK

orer\’UahRoam g

F’

f0R500 I Windows ForensicAnalysis

U FII

devices running After a Microsoft account logs into a second device, the TabRoaming folder will be created on all you can see folder, Internet Explorer ii. This slide shows what that folder will look like. Within the TabRoaming the current to a series of GUIDs, representing each device that is being synchronized. One of these folders relates each of Within device as well and serves to store the local data that will be synchronized with external devices. information these device folders, you see a subfolder and a file named Machinelnfo.dat. Machinelnfo.dat contains you should about the device that this data belongs to. it has not yet been reliabty decoded, but at a minimum, (“5316” subfolder determine the hostname of the device as it is stored in Unicode text format within the file. The on Explorer in Internet in this example) contains a series of .dat files. Each .dat file represents a tab that was open device. that remote device, Parsing these tab files allow us to reconstruct what was viewed on the external

102

©2017 Rob Lee

‘°

£01.

n

cc

V.1

4..

cc

4

V.1

Il) 0.1

1%)

cm

n

V.1

V.1

C)

, cc

1X)

n

n

CC

41.1

V.1

C) cc

cc

V.1

V.1

40

Cu

41)

CO

C)

C)

V.1

0.1

cc

cc

V.1

V.1

41.1 CO

44)

Cx) cc

n

OrjqOjflQ©

V.1 V.1 a

j

Cx 0.1

Cu

1w

Cut

C)

ci

If)

1?

fl

f Il)

fl tO

Cu —n

10

.j

n

r

;;.

-r

1)

ti tj -J .,

-i

i

r

fl

o )--

a ST Vi Tt

to

!0

-

40

0

1)

vi

V.1

u

—-

(V

.

>0

0 ‘-I

0.1:4.1)

/

r

x

i

1)

C cc rn

4 *

°

1

-

CO

s-i

Z

In

COO

UJ3

.4

C)

2

1!

U

-

.

0.1 41

I

3 5*

2-’ ;:In

s-i

a

3

3-

10 C) 41)

C. -

CM U) — C—)

c

(

C) 1-

C

CO

U)

-

-

cM

t

-

‘1’ I

CO 0’

C

U)

-n

em :114Co

CO Co to

j

em

-

Co

Tab information is in Structured Storage Format 1

4 {7B473D07CG7511E34EB21 0

ci

F

.

Ajfx

A PTf

i

0 00 0 0

ii

iF 0

14

%R

53 1 0

t’fl foih

I 3t

it 0 O. U 00 0 0 .BU

ib

9 ih

A EA

I

fi FO 77 J EOi7000 610 b fl’ fBuO 0 F

t p Ii1

7

1

‘kH4

p

oro

P c,

n

Rd

6t00

I’ll

1

iJoj lou 0 nEdu 1761 uU’ S 0

0 fl j 0 fill C nfl Oll’ 00,1 0’ nO U flip ooo 0 U

J 110.

‘0 420 01

Li

I

n

B 1

n

ht

7

p

F

Hfli.

1

1

1.

b

n

E

0 U

1

‘ii

1

Page Ii

FOR500

DFIR

J

Windows ForensicAnalysis

Luckily, Microsoft used a well-known format for storing TabRoarning data, Structured Storage Format has been used for many years for a variety of Windows items, including older MS Office documents, Jump]ists, and Internet Explorer recovery’ tab information. Inside of each .dat file within the %APPDATA%\Local\Microsoft\InternetExplorer\TabRoaming\\ folder will be the contents of a given tab on that device. This slide shows MiTeC Structured Storage Viewer being used to parse a given tab. We can determine the creation time of the tab, how many total sites were visited within that tab (the number of streams), the URLs and page titles for each visited page, and the order that the sites were viewed in.

104

©2017 Rob Lee

104

r Wk

I

Wj eOed

00

-‘

1e, 1St

A

‘‘

U

0000 005% 0006 0000 0089 0039 001% 008% 00Sf? 0000 V0Y

Hte,s •000 0010 ‘3 006P 0021 00PL OOiI% 003% 0066 0066 “000 t6% J1% 0U9 006% 008% 0036 006% 008%

-

8?’IA

4%

Arnie sq U! jDBJOjS si qe eqz io aLUj UOQE&I2 eq

•

I

xl

0000 0000 0000 0 0000 0600 0000 u jXfl 0000 0000 0 0000 0000 -j r 4 0019 ooa% 006% 003% 0069 0089 Vt

en 00P9 0069 00’ V ( C C V. 08 6831

XIHSV

“0

S

1?

(qe

4$

Sllfl un elol £) cp% ew U! PCIISIA elIsqeM I1IEIJBJJIP 1? 5 tUeeis U319

Lii

81)

S

a) I) -J

0

-o

N

0

c-’J

©

TypedURLs

Unlikely: Possibly via TypedURLsTime key

Favorites

Unlikely: Possibly via timestamp analysis

Tabs

Yes: Parse Machinelnfo.dat and Tab .dat files

History

Yes: Compare SyncTime and AccessedTime for entry in WebCacheV*.dat. If times differ by more than ± 5 * seconds, it likely originated from a different system

Alternatively, if ExpiryTime = o, a history entry was * recorded in WebCacheV*.dat due to a sync operation

OFIR

fOR500

I

Windows Forensic Analysis

As you can imagine, browser synchronization has the potential to greatly increase the amount of data that we can find during a forensic examination. Going forward, one of the common questions that we need to answer is where the data came from. Sadly, this will not always be possible given the current state of artifacts available. This slide breaks down the different types of synced data and identifies how we might try to determine if the data came from a separate device or was created/stored locally. Synchronized TypedURLs information is placed directly in the TypedURLs key, making it difficult to differentiate. The only way you might tell synced data is through the new TypedURLsTime key. Because each entry now has a timestamp, the examiner could match those times with known activity on the local system, including logons/logoffs, and possibly identify entries that were created when the local system was not in use. Synchronized favorites is a similar situation. Distinguishing synchronized favorites is difficult because they are stored in the same location as locally created favorites, About the only thing an examiner could do to answer this question is to look at the creation times of the favorites and try to determine if the local system and IE were in use during that time. Roaming tabs are easy to distinguish. Parsing each Machinelnfo.dat file provided the hostname of the system that the tabs came from, Any hostnames not matching the local system hostname contain synchronized data. Although identifying synchronized history information is the most complicated, it is also likely the most important. It turns out that history information in the WebCacheV*.dat file has multiple timestamps. We can use these timestamps to determine if a particular history entry was visited on the local system or is in IE history as a result of synchronization. One of the first indicators is to compare the SyncTime with the AccessTime for an entry.

106

©2017 Rob Lee

106

If an entry was written due to a local visit, the access and sync time should be similar (in testing approximately 5 seconds). This is because immediately upon a site being visited in IE, infonnation about that visit is synced to the user’s OneDrive (if syncing is enabled). However, history data from other devices might be accessed now but not synced back to the local system until that user logs in again (which could be hours or days after the history entry was accessed). A second synchronization artifact to look for is if the ExpiryTime for an entry is set to 0. It is unknown why this is the case, but in testing, this appears to be a reliable indicator of data being copied from a different device. +-

©2017 Rob Lee

107

Eq 4 1

1011

:

—

5

3

PM

0

F

ii

PM 17:1U.. 5:1.; 44710115 1153PM

c.

ij,

1 514 ZOiJ :L Si S.1 47135:10:11 PM

‘N-r

t 145.M.5 111

PM

PLF’ L

—

M J1i4-i-::1r.;: 4 17 1014:1647 PM —. I. F 3 11 ..c1°’HPc 0 4 4- 7-1 33 th- 11’ Pt I 3: -101.1 iPf 0 7- c-Si,

:-.

4 17 :474 ‘:6 j3 P;

I

7isftti:jal -‘±nCer.0k rtd.j Ir”Jn’jer 1f11

1

.3NPi.1.

—:

-(:JLtr jir:

:

1; -‘1’ .1:1355-11 FM -11-14-con

.-nflrri[r

,

1i

-

‘-em1N 0.: ft

ia”’’

r:eu:hct 1.

..

--

-:

/1_r;,

-.

I

i

1; -_.‘h 4: :- vi 4 ±‘. 114 -SiL0s rti .

ii 1 , 1, -13 11-.PM 4 174713 .t ii111,47!4 _I

I

-1cM

4

1

1

1

5-M-

u

‘1rcthr

.irt

3 Iili;11 ‘1 51 PM

4 ±7 1:14 51:50

-

,4D:l 4

.

H 1 YIflhi 11 PM 1 1

.

47 fl3 I 347 ri

ft

.1:

fl-hID

-I J

-,

;utr

:

c

1:it-:

e:::-

er—t:e4c.

cng.cDm e3rcI

Jk.3,lc.tr. :tstr

.

rrcJ;

pie- SnLt-r

_“.ILIj1i:

r.

t1’%’

-f

‘,:--:tc I: j ik

-2nd?:

Irchiq ;:m47e.-: r*

I ht’--:-j_ I

h1-- - -

:;

q:::’(. ic’:n.h ac’

F rsr

0FIR

m--t1’n

.._

J

1

ir’nr:.i_-n-.0-

.1

1’ pCfl:rF

Wir

w Fo

n1n:P-

11th

si AmP sis

Here we see some sample IE1 I history entries, and we can quickly put our rules of thumb for synchronized entries to the test. Notice that approximately one-half the entries we see on the slide have an ExpiryTime of 0. This is the first clue that we might have synchronized data on this system. Next, compare the SyncTime and AccessedTime for each entry. Notice how the entries with real ExpiryTimes have nearly identical Sync and Accessed times? Also, notice how different the Sync and AccessedTimes are for those entries with “0” in the ExpiryTime fields. Taking this into account, we can say with some assurance that www,bing,com/search?q=kepler+telescope was visited on the local system, whereas the URL gizmodo.com/portlands-draining-an-entir was visited on a different device and copied over to the current system at4/17/20l49:16:IOPM (UTC).

1

108

©2017 Rob Lee

0 0 0 0

i1

543/2014 8:24:32 PM 5 13/2014 8:27:36 PM 0

10

5432014 5:18:50 PM 5 ‘13,2014 5:26:58 PM 513/2014 5:41:16 PM 5/13/2014 5:47:43 PM 5%3 2014 5:50:53 PM

[FEZ-i

ExpiryTime

SyncTime

4172014 5:30:09 PM 4:172014 5:309 PM 447:2014 5:30:09 PM 4:17 /2014 5:18:50 PM 447 2014 5:26:58 PM 4 17’2014 5:41:16 PM 4:17/2014 5:47:43 PM 447:2014 5:50:53 PM 447:2014 9:16:10 PM 4’17 2014 8:24:32 PM 4/172014 827:36 PM 4 112014 9:16:09 PM 4 17 2014 9:16:10 PM 4 17:2014 9:16:10 PM 447 ‘1014 9:16:09 PM 4 ‘17/2014 9:16:10 PM 4/17i2014 9:16:10 PM 447 2014 346.10 PM

31 Columns]

Containerj &ab!e

11:29,201311:23:16 PM 12;3’2013 2:28:54 PM 12/3/2013 2:28:55 PM 4/17/2014 5:18:93 PM 4/17/2014 5:26:58 PM 4/17/2014 5:41:16 PM 4/17/201.4 5:47:43 PM 4/17, 2014 5:50:53 PM 4/17/2014 8:14:27 PM 4:172014 8:24:32 PM 447’2014 8:27:36 PM 447 2014 8:41:08 PM 4/17/2014 8:41:08 PM 4/17/2014 8:41 :08 PM 4/17/2014 8:41:08 PM 1/17/2014 8:41:08 PM 4/17’2014 8:41:08 PM 4/17/2014 8:41:08 PM

AccessedTime

-,

-

Visited: jalecander@hftps: // ersion6.1L0 Visited: jalexander@https:/1 Visited: ja1axandeChftps://s Jacebookccrn/ccnnect/x&art Vsited: jalexander@file:///C: IVINDOWS ‘system32ioobt’FirstLogon Visited: jalnanden@fileu//C:/Users/jaiexanden/Dr tegshot%SC Visited: jaIexanderafiIe:/ /C:/Users,jatexanc Visited: jatexandenifiIe:/’/C:/Usens/j Visited: ja1exanderfiIe:/HC:.’ I Visited: ja1exanderhttps:/:i nws/skydrivesefli isited: jaIeandenfiIe: I /AppData/Local ‘Micnc Visited: jalecander@http://www: com’seanchk r.teIescoF Visited: jaIecandenhftp:i/www.izenbamb ‘cts/izen bar Visited: jaIexander©hftps:/ i?id=806C Visited: iaIexanderOathftp://o ‘S810001424( Visited: ja1exander@http:/. ch?q= gi:mcdo.ccm& Visited: jalexander@http:/% Lcom/portlands-draining-an-enti Visited: jaIcanden@http://gizmodo.com/five-no-bigdeaI-ways-to-r Visited: jakxander@https://login.hve.com ‘ppsecune/InIInePOPAuth.!

Un

‘V

Delete temporary files, history, cookies, saved passwords, and web form nformation.

Local System:

• All entries are removed from the WebCacheV*.dat ifie • All files in RoamingTab folders deleted Trivial to recover with forensic tools

Remote Systems: • RoamingTabs belonging to system conducting history clear are deleted • All entries persist in WebCacheV*.dat file fOR500 J Windows ForensicAnalysis DfIR finally, what happens to synchronized data when history data is cleared from the local browser? It turns out that it .dat file, depends on where the data is. On the local system, all history entries are removed from the WebCachV* regardless of their origin (local or synced). Roaming tab data for all devices is also deleted from the local system. However, because data is simply deleted and not wiped, we can use forensic tools to recover the data (a simple undelete of the .dat tab files, and something like Internet Evidence Finder carving for the history entries). Interestingly, clearing history on a local system can impact data on remotely synchronized systems as well. If I clear the history on my local system, the tab information for that system will be deleted on remotely synchronized devices as well. However, this isn’t too big of a problem because those files can be unde]eted, or even easier, pulled from the remote systems’ WebCacheV*.dat file. Site visits recorded in TabRoaming data are also stored in the remote systems history file (WebCacheV*.dat). This information is not removed when another system clears its history (probably because it would be burdensome for IE to figure out what entries belong to which devices). That leads us to the most important point of this section: Even if you don’t see history information on the system you are currently analyzing, there could be a more complete record on the user’s other devices if synchronizing was used.

110

©2017 Rob Lee

“

1.

Do not review browser files on a live system a. Consider running tool to retrieve protected storage/vault data

2. Begin profiling Internet activity using forensic image a. Analyze history in Index.dat or WebcacheV.dat b. Review cache metadata and relevant cached files

3. fill in any gaps by reviewing additional IE artifacts a. b. c. d.

—-

Bookmarks Cookies ± Web Storage Download history Session recovery data

4. Review browser artifacts for Modern applications 5. Check external artifacts such as those in NTUSERDAT FORS00 I Windows Foiens Anatyss DFIR When we know what is available to us when doing Internet Explorer examinations, our process becomes relatively simple. This methodology assumes that we will be performing at least part of our analysis using a forensic image of a computer system and a suite of forensic tools. With the recent radical changes to Internet Explorer, it is important to realize that many forensic tools do not yet parse many of the artifacts discussed in this section. Know the capability of your tools, and supplement with manual analysis when necessary. There is always a temptation when encountering a live system to poke around to see if any “smoking guns” are readily visible. Because many of our investigations involve illicit web activities, this temptation is even greater when preparing for browser forensics. This is particularly the case in IE investigations becattse of the virtual file directories that Windows creates for its history and cache files. This is a bad idea for several reasons. Most important is that you can affect evidence on the system. A great example of this is when reviewing cache files. Often cached pages do not have every piece present in the page, and clicking them causes the browser to go out to the web to retrieve them, adding items and overwriting evidence on the live system. Windows takes great pains to hide relevant data on a live system. For example, favorites do not show actual link data when opened via Windows Explorer GUI. You’ll also find it impossible to see many of the.dat files from the GUI. All of that being said, if you do have access to the live system, you may consider running a tool such as NirSoft WebBrowserPassView to recover auto-complete registry information, which may be difficult to decode from a forensic image. The first place most browser investigations start is with reviewing the history and cache files. These files give you the greatest breadth of information about what Internet activities have taken place on the computer system. Cached data can be massive, so review the metadata stored in the WebcacheV*.dat (Index.dat in 1E9 and before) to help narrow your focus.

©2017 Rob Lee

111

‘“

As you have seen in this section, there are plenty of other artifacts that can provide data above and beyond what is in the history and cache files These artifacts are particularly useful if the history and cache files have been cleared. Different artifacts have different longevities on the system, and many times you find website references within bookmarks, cookies, web storage, or download history that have long since been expired out of the history file. Checking the default download and temp directories is another example of finding long-lost files that may or may not be referenced by other artifacts. Advanced techniques like parsing IE session recovery data can often be worth the effort. If you are analyzing a Windows 8± system, don’t forget that Modern UI applications maintain their own set of artifacts, many of which are recorded in the WebCacheV*.dat file. Decide which applications may be relevant and perform a separate review of their artifacts. Internet Explorer is unique among browsers in that it stores artifacts outside of the IE profile folders. Notably, registry keys such as TypedURLs and the default download directory can be important to profiling usage.

112

©2017 Rob Lee

Cache Download History

Auto Complete

DFIR

J

Cookies

Session Recovery FOR500

Windows ForensicAnalysis

This page intentionally left blank.

©2017 Rob Lee

113

Internet History

Cache Files Cookies

WebCacheV*.dat or History indexdat Session Recovery {GUID}.dat WebCacheV*,dat or Cache index.dat WebCacheV* dat or Cookies index. dat -

.url files

Bookmarks Download History

IEDownloadHis tory index. dat, WebCachev* Registry

TypedURLs Web Passwords

Protected Storage or .vcrd files

Synchronization

TabRoaming { GUID } dat fORSOO

OFIR

J

Windows Forensic Analysis

Internet Explorer has a reputation for being relatively easy to examine, and that is largely due to its familiarity. However, those that have not been keeping up with their studies are in for a shock when they start their first case involving IE1O. The changeover from Index.dat to WebCacheV*.dat was swift, but the concepts remain the same. More than ever, examiners need to look in multiple places to get all the data and metadata for a specific artifact. The addition of Protected Mode in Windows 7 and application containers in Windows $ means many more locations in which IE artifacts can be stored. Don’t forget that in addition to metadata, some artifacts still have WebCacheV*.dat real files that may need to be analyzed. The IE cache is a good example of this with the containing metadata and the INetCache folder containing the cached files. Also, some artifacts may be split between well-hidden files in the file system and information stored within the registry (such as auto-complete data). Historically, the market share and consistency of Internet Explorer artifacts has afforded most forensic tool vendors the ability to maintain good solutions for finding and parsing these artifacts. Hopefully, this trend will continue as vendors scramble to support the new artifact formats. in the meantime, the current state is a version similar to Firefox analysis; investigators need to piece together several tools to do an adequate job of analysis.

114

©2017 Rob Lee

DIBITAL FURENSICS

DFIR INCIDENT RE$PONSE

Exercise 5.1 Internet Explorer Analysis

PfIR

FOR500 j Windows Forensic Analysis

This page intentionally left blank.

©2Ol7RobLee

115

DONALD BLAKE CASE TIMELINE: Following IE Exercise 18:24

Begins

19:21 Opening Dropboi folder

Dropbox, Winword utilized

Connect to L0T38 SSID (via

“USB2.0” (BLAKE FILES ‘E:viaLNK) Cast Inserted 18:46

(via Sheilbag, Efl

(via Sheliba

15:13

20:16

18:45

accessing many folders, local& remote, over a 2 hr period

“SMI” first installed

Uses Remote Desktop

C

(via Shelibag)

& FVENOTIFY

20:16:45

(via Prefetch)

(via USE)

Accesses folder on F:\Templat

20:11-20:21

Ji,

SMI USE jflernovedJ

JL

18:51 13 03

17 type hati m Jordan tells Donald to check e-mail I I) mail naly i shows e-mail read. (via t mail)

Nokia Strategy .docx opened b Donald (via I K(

Runs Bitlocker Unlocker

18:53

(via UserAssist) Decrypted Bitlocker USE Image 003 fAAO4O12700011123 F:\) hat business plan doct in root and \Templates

been fired. Jordon asks about ROP

I I

I

First RDP session from Donald (via Event Log)

Begins utilizing sdelete antiforensics

I

—

(via Prefetch)

iOd’2/13

10/21/13

8/1/13-8/8/13

Skypew/ Jordan. Says he’s

Began copying files to (via

-

19:03 Donald

changed time to 8/B 19:03 19:20

13:00 Donald Fired

16:38 Donald account last logon (via SAM)

Donald changed time to 8/1 19:20 (via Event Log)

(via String Search)

FQRSOO j Windows Forensic Analysis

OFJR This page intentionally left blank.

116

©2017 Rob Lee

“

13F1R

FQRSOO

WI dows ForensicAnalysic

This page intentionally left blank.

©2017 Rob Lee

117

117

• Few changes from a forensic perspective • Edge is implemented as an application “package” • Nearly all major artifacts are stored similar to IEii: • • • •

History Cache Cookies Download History Session Recovery Private Browsing

• WebCacheV*.dat file used to record Edge metadata • New features include Web Notes and Reading List flfj

FOR500

Windows Forensic Analysis

With Windows 10 emerged a new browser named Edge, codenamed Spartan during development. Edge was a big departure for Microsoft, allowing it to throw away years of backward compatibility and nonconforming standards to start anew and compete more effectively with browsers such as Google Chrome. Although the features and even back-end artifact storage do not deviate much from IE, the refactored foundational components make Edge much faster and likely more secure than its predecessors. Microsoft has pledged to maintain IEI I for as long as it supports Windows 10, but alt development will be moving to Edge. As a nod to the browser replacing many applications, Edge was also marketed as a PDF reader and is often set as the default PDF reader on the system. Thus, you should expect to find even more cached PDF files than normal in the Edge cache due to the browser being used as a viewer for Internet hosted files. Two new features were also introduced with Edge. Web Notes enables users to annotate websites and save the results. The Reading List is similar to bookmarks and allows sites to be saved for later review.

118

©2017 Rob Lee

18

e

{ C

DFIR

FQRSOO

J

Windows Forensic Analysis

The Microsoft Edge browser stores its core artifacts similarly to its predecessor, Internet Explorer. Metadata for history, cache, download history, and cookies (among others) are stored in the same WebCacheV* dat file that Internet Explorer uses. Cookies and cached files are saved to disk, just like in IE, but in different folders. Because Edge is implemented as a package, many of its corresponding artifacts can be found under the Packages folder under each user profile. Browser settings are stored in the package settings in the Windows registry. Edge keeps its settings in the NTUSER.DAT hive for each user profile: NTU$ER. DAT\$OFTWARE\Classes\Local Settings\ Software\Microsof t\Windows \CurrentVersion\AppContainer\Storage\ microsoft microsoftedge_\MicrosoftEdge\

These settings are separate from those of Internet Explorer and include registry-based artifacts such as TypedURLs.

©2017 Rob Lee

119

cv cv V cc a)

a a) 0

0

a

a

L

‘%USERPROFILE%\Appflata\Local\Packages\microsoft. microsoftedge\AC\MicrosoftEdge\Cookies

• %USERPROFILE%\AppData\Local\Packages\microsoft. microsoftedgecApplD>\AC\MicrosoftEdge\Cache

WebCacheV*4at

%USERPROFILE% \AppData\Local\Kicrosoft\Windows\WebCache\

——,II, ‘“TffgF

uiEt

It

a)

-J 0 0

C r’J

©

C

Conteinerld 535 539 537 546 C 547 573

0 0 0

0

548 525 574 527 522 538 526 528

Neme

Dfrectory

Content

vhcrosoftkdqe\Csche\ C:\Users\Cbsd\ppDete’ekoI\PsckeyeArncro5oftmicrosofted9e.2eiekyb3d2bbwevt \!OOV icrosoftEdqe\Cookes\ \#!0011 i1icrosoftEdg\f-kstory\ C\Users\CheU’AppDste\Loc\Psckes\microsoftmicrosoftedge9wekyb3d8bbwe\A 4icrosoftEdge\User\Defaut\DOMStore\ 0\Users\Ckd\4ppDeteLocsIPecksge0rnicrosoftmicrosoftedqejke€ekyb3d8bbwe’A iicrosoftEdge\Csche\

Cookies H!story DOMStore Content Cookies Hotoy DOMStore Content Cookies History Content Cookes

\W002 AicrosoftEdge\Cookies\ C:’JJsers\Ched\O.ppData\Locaf\Peckeqes\microsoftmictosoftedqeeiekyb3d8bbw&eA 0\Users\ChedppDeta\Lo&\Packeqes\microsoftrnicrosoftedge9e;ekyb3d8bbwe\A’

4icmsoftEdqe\History\ viicrosoftEdqe\User\Defeul’DOMStore\

21 Aicrosoftkdge\Cecbe\ \#!121 vlicrosoftEdge\Cookies\ 0\UserAChedVeppDete\Locel\Peckssqes\mkrosoftrnicrosoftedgej3seekyb3d8bbwe\A( \1211 AicrosoftEdge\Historis C\UserAChed5AppDats\1oca1\Peckeges\microsoftmicrosofted9ejleIekyb3d8bbwe\AC\MicrosoftEdge\Csche\ C

Hotory downoad

softEdge\Use\Defeuit\DownloedHntwy\

• Edge artifacts are spread among many locations • Use the WebCacheV*.dat file to identify them DFIR

FORSOO

Wit dows ForensV AnalysIs

Edge stores its artifacts in multiple different locations. A current default installation keeps four distinct folder structures, including what looks to be a default location at AC\MicrosofiEdge and three others named AC\#!001, AC\#!002, and AC\#! 121. Similar to IE 10+, these different sets of artifacts are likely tied to different modes of operation for the browser (medium versus low integrity, enhanced protected mode, and so on) However, we do not yet know what actions trigger artifacts to be stored in each location. Regardless, investigators will want to review data in each Edge location to ensure critical evidence is not overlooked. In this slide you see a WebCacheV* dat container table showing various artifacts stored for the Edge browser. Note the Directory field providing an overview of where each artifact is tied to the file system, The process for analysis is identical to that of Internet Explorer 10+. .

©2017 Rob Lee

121

121

:1 ..:

535 536 539 537 546 547 573 548 525 574 527 522 538 52%

Content Cookies Histoty DOtAStore Content Cookies History DOMStore Content Cookies History Content Cookres History redownload

C C

C C

C:\UserAChad\AppDatALocal\Packages\rnicrosoftrnicrosoftedgejwekyb3d8bbwe\AC\MicrosoftEdge\Cookies\ C:\UserAChadppData\1oca1\Packges\microsoftrnrcrosoftedqç9aekyb3d8bbwe\%C\MrcrosoftEdge\Hrstory\ C

ies\

(N (N

A new database was introduced in Edge. It currently holds Bookmarks and the new Reading List feature %LOCALAPPDATA°\Packages\MicrosofLMicrosoftEdge_\AC\MicrosoftEdge \User\DeIaiilt\DataSt re\Data\nouserl\12o’i 2-0049\DBStore\Spartanedb t,

DI t 25

r

tin.

F 1atkFWt h

4 42

FiN F

s [Tth ID

—

Nt

mrfr’

atrh “mf

IsFolder

rn/n ,IU

orn/n

nn. om/

IsDeleted

Br

it

URL

;]

‘S

—

41

htp/”

‘m’n

42

R

ocP M...

rI

rji. ji

I

II

A

Irt,&Ii.

Title iescrlpt3.on

F

F

i,rtt;;..

DFIR

irI

FQR500

IsDeleted Wi idows Foren icAnalysis

Spartan edb, apparently named for the project codenarne of the Edge browser, holds information on two important artifacts. This database is in ESE format and is located in: .

%LOCALAPPDATA%\Packages\Microsoft .MicrosoftEdge\AC\MicrosoftEdge\Use

r\Default\DataStore\Data\nouserl\12 0712-004 9\DBStore. Edge stores bookmarks in a table named Favorites, which is a departure from the individual un files employed by Internet Explorer. For each favorite in the database, a URL and page title is recorded. Other fields identify whether the entry is a folder (bookmarks can be organized in folders) or whether it is deleted. The latter field is interesting because it indicates that bookmarks may persist even after deletion. In fact, in the slide we see the value “255” in the IsDeleted field, indicating that the entry persisted in the database after deletion. The Reading List is a new feature in Edge and is used to hold links to web pages saved by the user for later review. It can be thought of as a more ephemeral bookmarks list. Sites saved to the Reading List are saved in the ReadingList table, with their URL, page title, page description, and an lsDeleted field. Similar to the Favorites table, a value of 255 in the IsDeleted field indicates the profile owner removed the entry from the list.

©2017 Rob Lee

123

123

I

I I,

.

-

kfl&

Title

S6%

1%, 12 Columns]

it

-!I -

URL

MarketWatch Stock M. WashPo CNN _Favorites_Bar

n*r-v

srtitruew,,et

JaI -

URL

__Aa

.

t

—

v

its.

hp://vwwrnarketaiatch.com/ htp://wcLmsrtcorn/en-us/newcfus]%e. htp://wLwcnn.com/

nn

;trc.

-n

-

ne

n:

-

N

These are the most tncredi. http:/Abvuw.msncom/en-us/moneyftechnology/these-a1 As Angels Pull Back, ValuatL, htp;//wuwmsncom/en-us/moneyfmarkets/as-angels-

t [Table ID = 26) 13 Columns)

iai:wwt. si

42 42 42 25%

IsFolder The

Favorites [Table ID IsDeleted

-

25% 42 42 4% fry- r

-

-

42 42

IsDeleted

hA I Readmgtist

I L

[Favorites URL

Title

isFolder

(%st,

IsDeleted

URL

Title

Description

isDeleted

C (N

©

(N

Web Notes allow pages to be annotated and shared • Stored as image files and saved in Favorites or Reading List ($partan.edb) %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge\AC\ # !ooi\MicrosoftEdge\User\Default\WebNotes

AbQ N k

Wth N: Mk ,j

McftEd-e

t

b

th4&t1

bttM

Web Notes are a new built-in feature in the Edge browser. Although they are likely most useful on tablet devices, they are surprisingly easy to use on traditional PCs. The idea is that a page can be marked and annotated, saved, and shared with colleagues. Behind the scenes, the implementation is simple. Saved web notes are located in the following folder: %LOCALAPPDATA%\Packages\Microsoft MicrosoftEdge_\AC\ #! OO1\MicrosoftEdge\User\Default\WebNotes

The original web page is saved as a JPG or PNG image. A corresponding transparent overlay image is saved as PNG. The overlay image contains all the page markup accomplished by the user. A final version of the page with the original image and overlay put together is saved as a JPG. Thus, each web note saves three different images to the WebNotes folder, file system creation timestamps of these files can indicate when the web note was created. Users can save web notes as bookmarks or in their reading list. Metadata for these entries will be recorded in the new Spartan.edb database. Unfortunately, database entries record the web page title, but not the original URL visited. However, this information can be determined by matching the file system timestamps to Edge history artifacts. When a web note is deleted from a user’s bookmarks or reading list, the original files can persist in the WebNotes folder.

©2017 Rob Lee

125

V

w

—r

Pkture Thoi
sis

Knowing the location of the key browser files should be your starting point when conducting browser forensics. The first thing they tell us is if Firefox is installed on the system. Remember that we will most often be reviewing a dead file system copy and thus won’t have all the handy indicators present on a live system, such as shortcut files or entries on the start bar. Searching for specific files and folders used by an application can be the easiest way to determine if artifacts exist. (The Windows registry is another useful place to search.) Applications often leave behind files and folders even after they have been uninstalled on the system. A secondary reason for knowing where the application folders are is that you need to know where to point your forensic tools. Many of the tools we use for Firefox forensics require the investigator to identif’ where the key browser files are located. Remember that in Windows the Application Data (AppData folder in Win7+) is hidden by default. To see the contents of this folder, you need to go into the Control Panel, select Folder Options, and click Show hidden files and folders in the View menu. File locations have changed for Windows 7+ installations. Similar to what is done using the Local Settings directory in XP/2000, Win7+ splits the Cache directory out and places it within the Local directory, ensuring that it is used only on the local system and not saved with any roaming profiles used within a domain environment. This same distinction is made in IE installations and one of the reasons it is done is that Cache folders can be quite large in size and thus should not be passed around the network. Firefox does not use the Protected Mode feature of Win7+ and thus does not use low folders. The , default folder within the Firefox file path is a Firefox profile folder. A user can maintain multiple Firefox profiles, and if that is the case, you will see multiple , default folders within the Profiles directory. In this case, files in each folder need to be examined individually.

132

©2017 Rob Lee

(

Auto-Complete

%userprofile%\Local sá bata\Mozilla\ Firefox\Profjles\. default\Cache

Cache

•

Bookmarks

—

Cookies — .

Bookmarks

—

.

.

.

• userprofile%\AppData\Local\Mozilla\ Firefox\Profiles\ Select History File for the MozillaHistoryViewer application.

3.

Highlight relevant entries using . While conducting our review, we highlight any entries relevant to our investigation by left-clicking them. To select multiple entries, use the key. Some of the tools have check boxes next to each entry that can be used instead.

4.

Export selected items for inclusion in the report. After we have selected our relevant entries, we have the option to save them to either a text file or to an HTML file that we can then include in our investigative report. To save as a text file, use File -> Save Selected Items, and to view/save in HTML format, use the menu option View -> HTML Report Selected items. —

Some NirSoft tools have the option (when relevant) to open a selected URL within a web browser. This option retrieves the page from the actual web server, in some cases, this could be undesirable because we may not want to make a connection to the web server. (Imagine a case in which the subject is the owner of the site, or if the web server is suspected of hosting malware.)

©2OJ7RobLee

143

CD 0

r

0 U

-4

0

©

a

N

:

I4

4

I

4

i

I

,

A

dXj

(__

-

awl

a

(rs-\

w))cipq1vAzfl:dnq

“OYdWO)dptjflfldq

“N Xjejodwi

tUO)dtrM!V!:dflL1

xiO-J!edaN “i5oJopJed’ap;/1dflq

Ya6oofrfAM1:dflq *aj%oo5*twiv/:sdnq

*n,5oo%ww//:sduq

dnueaj) :1s!a

atpi

i!P saop saji; wtr “eqdde dnunp !P “qa;sej ouj tua4sX

“!P saop Xjptxa

-a

— -a

a

ta

;wgs we awl

I

Lid SE5C3 ELC?16L0L kid OP:9O;S ELQ?5L;Qi EIC/%IjOI Lid LE:90:8 EICi6i:ti kid sz:gwe ELOI%I/OI Lid CL9C3 EICVSLCI lid :g:g EIO?/6I!oI lid SsEB EiCZ/6L:OI lid Ec:Eo:s ELO/%L/OI Lid LtaC!8 ELCC!%LCI lid Lv:Io; EIC’5I;JI lid LNiO EIC!%LtI lid 9rICS EL!%ICi L I I I I I I I I C i I

jau’osJLrMMM11:dflq ‘aw%aaJj Jos

AieJodwaj

“u

juq uq

uq

uq :uq

)jUfl

Nwmaraew

‘(S)Ufl4!

—

——

djaH

-

—.

%1p3

fld

-

CL6

__•________•\____

i4;4

!%o!opJed*pJI/):dnq

SUO%d0

1taJWaflUaAa

7wo:peDajes!%ojopJedap1/:dq

“!pEojuMopjwoYdwod;at: :d%lq

‘!D15L? tUOYUiqa4sed[dfli4 )ng4ztespn/woYa%oo&MMM//:djq tdq&iasu2?woxwnJpunub; :duq

“Saflb1woYooqeksnMsueijnfi:d;;q

!WODfoODqU!eif:dflq

Pa1PS 1.

-‘.——.—

• The cache is a repository for web data a user has viewed • Cache format and location is consistent up to version 3%: • Located in %USERPROFILE%\AppData\Local\

• New format introduced in Firefox v32: • Same location with exception of cache2 folder • Default cache size now 35OMB

What can we find in the ffrefox cache? Is

DFIR

FQR500

‘Presejit?

Windows Foiensic Analysis

The Firefox cache is another important artifact for an examiner to use when investigating a user’s Internet activities. Inside the cache, there are often a large amount of website pages, files, and images that have been stored locally to speed up future requests to that same website. This gives the investigator a window into not only what sites have been visited by the user, but also the actual content files that were downloaded from those sites. Prior to FF4, the default cache size was 50 megabytes. Beginning with FF4, the default cache size was greatly increased to 640MB for each profile. This value may be scaled down for smaller drives, and in the latest versions of Firefox, the cache size has taken a step backward to 3 50MB. To definitively identify the max cache size of a given instance, review the browser, cache disk, capacity value within the Firefox config (prefs. js) file. .

The cache format and location was the most consistent Firefox artifact, remaining unchanged all the way to Firefox version 31. It could be found in %USERPROFILE%\AppData\Local\Mozilla\ FIrefox\Profiles\. default\Cache

with the exception of Firefox installations on older systems like Windows XP: %USERPROFILE%\Local Settings\Application Data\Mozilla\ Firefox\Profiles\. default\Cache

The original database fonnat used by the cache is complicated and is best parsed using a tool created for that purpose.

©2017 Rob Lee

145

The new version of the cache has a much simpler implementation and can be found in %USERPROFILE%\Appflata\Iocal\Mozilla\ Firefox\Profiles\. default\cache2

For each item cached by the browser, metadata is stored to provide context. The most interesting metadata to an

investigator are: URL: What web page the given content was saved from.

•

Fetch Count: How often the cached content has been used. Missing (Is the file present?): Tells us if the items the metadata refers to are actually stored in the cache. When data is missing, it is usually a result of cache control parameters set by the web server requesting that no data be stored (that is, no-cache).

•

Filename: The name of the content that was retrieved from the website. Content Type: The type of file stored in the cache. (that is, HTML, jpg, gif, JavaScript, and so on).

•

File Size: How large the downloaded file is.

•

°

Last Modified Time The time and date that the content was last stored in the cache Last Fetched Time: The time and date that the content was retrieved (used) from the cache. This gives us an indication of when the page the cached content is from was last visited Request Header: The HTTP header from the requested website. This is used by the cache to “replay” the request when cached content is used instead of actually going out to the site to do another download. Firefox stores the full header, which provides much more information than what is stored in the Internet Explorer index.dat file. Stored within the header is the content encoding information, cache parameters, web server name, response code generated by the web server, and web server time when the request was made.

I

146

©2017 Rob Lee

m d fk

18

3OP2276314ccBO7%O632D4F4DQbQ8C17877 OCCE7O4O36%7SOBB%45D7B999S83417DOCF

“‘ ‘

•

“

‘‘

‘1#YtI Copy Selected Cache Files to... One item to note is that when using this tool to review cache data on a live system, Firefox cannot be running. The cache files are locked by the application while it is running and thus MozillaCacheView cannot open the cache files. Reference

[I] http://www.nirsofi.net/utils/mozillacacheviewer.htrnl

©2017 Rob Lee

151

File

S

Edit

Options

Help

URL

View

ContentT% pe

A341 tEct:Xmi

File Size

texbxml

Filename 1757167370xml

image/jpeg

image’gif

http:Podb.outbrain.com/... http:/’ oyster.ignimgs.com...

hftp://oyster.ignimgs.com.. http:/i2953003Jcgoptimiz...

931wm1 Ev1SN1,,,Cv4yaçpw;fihpqw1ç-300’v

,,

L a=2953003&d=%95300%&yfalse&... ,

e5161c99cc90bb06097c73d5154e4d,,, text/as aI 8MROB,J024jad10trc2b_-300x455.j... lmage:jpeg EATMAN.66.4j.jnygumpbi200x.., image/jpeg image,jpeg image jpeg image/jpeg

application ‘json text’xjson;chars.. inage,jpeg

hftp://Lbetrad.com/pub!p.,.

NirSoft Freeware. http:ftwww,mrsoftnet

4,124 6%469 0

1,661 http::%cdn.flashtalking.cc... 8,000 http:/ cdn.flashtalking.co... http://2953303.Iog.optimiz... 35 http:Hovster.ignimgs.com... 48,137 http:/oystatic.ignimgs.co... •8,25.8 http:/’oyster.ignimgs.com... 39,481 http://oyster.ignimgs.com... 70788 http://oyster.ignimgs.com... 42,867 http://oystes.ignimgs.com... 56699 50,531

4. BW.,,Cv24_.zrnfadh4jgl 200x458.jpg ANMANCv24d0zi0uur1o:300x46... hRHOODQC’.2&Ri_klv8cmjomx_3... a=2953003&dz2953003&=false&x,,, udzhttp%3A%2F%2Fwww.ign.com... ,x FEfloguesflebjJ5nv4rztm3-3G0... pid=%&ocidr6%0&ü=i&r=0.104504...

.

14270 item(s)

1 1 1 1 1 1 1 1 1 1

Fetch C...

Last Modified

1

i01920132>11:59PM 1019 2013 &11’59 PM 10192013811:5%PM 10/19:2013112:01 PM 10192013 8.12:01 PM 10/19:2013 8:12.01 PM 10/19:20138:12:01 PM 1019,2013812.OIPM 10 19 2013 8.12:01 PM 10192013 8:1101 PM 101920138:12:OIPM 1O’19’20138 1102PM 10,1920138,12:OIPM 10/19/20133:12:02PM 1 1 1

Last Fetched

>

1019/%013211:5%P 11192013111:59 P 10 192013 8:11’59 P 17. %20138:12:OOP 1019 2013 2:12:00 P 10 19 20138:12’OOP 10 19’20138:12:OOP 10 92O138:12:0CP 10’ 19’ 2013 8:12:00 P 1119/20138:12:01 P 1019/2013812:O1P 10 1912013 812:01 P 10 1920138:12:01 P 1019/2013 8:12:01 P

F.

[

I

0 0 -J 0 0

1—

©

0 (N

If)

(N

• Provide an additional means to profile Internet activity • Firefox stores all of a user’s cookies in cookies sqlite .

• Stored in the profile folder, linking them to a user account What website domain issued the cookie?

host

the C()OkW flu1R? Was the cookie issued hi a secure connection?

name

What

is

I When was the cookie/site list accessed2 DflR

i sSecure

I

lastAccessed FOR500

I

Windows ForensicAnalysis

Each browser artifact provides slightly different information. There isn’t just one artifact that can provide all the information that an investigator might need. Cookies are a good example of this layered effect. Although the history file might be the first stop of an investigator when looking for what sites have been accessed, cookies may provide additional sites and information that have been deleted or overwritten in the history file. Cookies are often saved longer than history information and are not as frequently deleted by users. Unlike lE, which stores cookies in individual files, Firefox collects all cookies into a single database, cookies sqlite. Similar information is recorded, including cookie name, domain, contents (value), and the first and last time used (creationTime, lastAccessed). .

©2017 Rob Lee

153

‘53

Firefox 1.5/2

In Firefox 2, cookies were stored in a file named cookies txt consisting of a row for each cookie and tabbed columns for each of the cookie’s values. .

V. ha we[ site do afr is’jec3 th rocMe? What

fS

column 6

the cookie name? Lue’fr

o

‘S

What values

c u

.

When was the cookie

r 4

c ilo

/ preferences were stored?

leiwci-;th .c

Column 1

Column 7 A

‘r’ e

/ site last accessed?

N/A

An example of what a cookie looks like in the cookies txt file is as follows:11 .

Column I ,msn.com 1555802906

Column 2

Column 3

TRUE CULTURE

Column 4

Column 5

/

Column 6

Column 7

FALSE

EN-US

Column 1: Name of the website that stored the cookie. Column 2: Can the cookie be read by other parts of the website (using the same domain name)? Column 3: Webserver directory path that the cookie is relevant for. Column 4: Does the cookie require a secure (HTTPS) connection? ColumnS: Expiration time for cookie (in Unix epoch time number of seconds since 1 Jan 1970), Column 6: How the cookie is referenced by the web server. Column 7: Stored information within the cookie. (user preferences, site state information, etc.) [1] http://kb.moziIlazine.org/Cookies.txt

154

©2017 Rob Lee

F

V

Edit

Hdp

p

‘i.:

..—.-•.

•

n

:_F’F r’

-

rc .,r

p

‘F

1 FF

1-

true

-f:

-.

1-

--

—-

-

[or ninJHn’.t

I,

-

=

t•

.

.th

-

1

-9

Name.

•

-

--

Jalue:

-t-

-

rpirdttonDate

-

11 -

1.

turf-

.

irop,SRcfUrl

http:IIviwv piritorm r omjLcleaner!downln-rd lllfliI2tH

10:1010 M

No

•= •

-

‘e_J

pc

-

•

I

-

•

•

rn ‘t c

•

lin’.tlD.

12615

C.a5tAccessed:

1011312013 q:lo:1o M

Created tune:

1 Oft 3/7tH 3 J31:55 OM

Located on Your SIFT Workstation D FIR

f0R500

!

Wit dows ForenskAnalysis

MozillaCookiesView provides a simple interface for viewing cookies from all versions of Firefox.[’l You simply point it to the file you are interested in parsing (using File —> Select Cookies File/Folder) and analyze the results. You can click the column labels to sort by the value, which can be handy because sites often use more than one cookie. Right-clicking any entry allows you to view the properties box, which displays detailed information about a specific cookie. The columns displayed by the tool coffespond to the data fields stored in the cookie file: • • • • •

• •

Domain/Host: Name of the website that stored the cookie. Path: Web server directory path that the cookie is relevant for. Name: How the cookie is referenced by the web server. Value: Stored information within the cookie. (user preferences, site state information, and so on). Last Accessed: The last time the cookie was passed to the server. Created Time: The first time the cookie was stored on the system.

Expiration Date: Expiration time for cookie (can be changed to GMT time using a menu option). Secure: Does the cookie require a secure (HTTPS) connection? Domain Accessible (Not shown): Can the cookie be read by other parts of the website (using the same domain name)? Line/ID: The location of the cookie within the cookie file (FF2 cookies.txt file).

Reference

[I] http://www.nirsoft.net/utils/mzcv.html

©2017 Rob Lee

155

File

Edit

VieA

DonAamIHest .cnetscrn .cnetcom

ii’. !cnetccm ¼j cnt corn bb .cnetcom * cnetcorn

U cnetcom

Name

Value

101% 2Di% :40C%. 10/13. 2013 9:40*D9. l0’i323139:40%,

Last Accessed

IC 13*2213 1013’2013 Th57. l013*20139:357,

Crested Tame

•cnetcom

aSa n

DomainjHost:

1% 1

I

I

Path:

1261%

-

I

Line/ID:

10/13/2013 9:40:10 AM

I

Name: Value

Expiration Date: I 0/13/2013 10:10:10 AM

Last Accessed:

WI

ii

I

Ii

WI

arrawSSfletUri http fjwww p nlorm comlccleanerfdownload

*L*

1&1013&8C0j05&BK403&BK4233, 4B6F3FCDF?3FSD4F1F9E154BFB0339?’ true

7

-

w

I0/13j20139M%%AM awriwansn “sans*n

CreatedTlme

da5ee9ebS5T9TeN Secure: No o4seedooe2fe7oi Domain Access:

1Ds15%”2r2s First vt 13816572999% 3

MADUCAT did suwisft

_cfduid

_1D

-.

apexSample.

.

to nicad svov*nto... apexLat apaspc 3’””

Help

.

tà .cneLcom W .cioudflareccm lj €chckbooth,com

1965 Cookies

-

lLpneaanv

1 7

L

7

1

W

I

1

1

5

to

(0

Google uses several cookies to track user activity on participating sites (--‘$o% of all sites using traffic analysis) 1i

Um(%ue

1 a

titmv

vjsjjo;

Session tracking

Website

Session status (deprecated) • Stttui

n

jttiL7 ::

_tirn:

u

:

fl7

‘4,110.;et

.

rFI,aftic

optimization

sources

t’..u

“1 Lj%.i7 3 345u

If 1; i:

•J •)3Oi; .I3t- ,c54.2

iiedcorn

I

.‘&J3.SI 11’ 7.

I;

SQL te 3d.. I Icr

.,

In

•.

2

n -

jtmj.,

umi n

value’,

crch eut SQL UE 3tirJ5

Er

I

(‘ustoin

xchie

I rn

i fd&r

ni

rn

eI

DFIR

i_rn •

tti

1

•

cJ.crr, ••

dirt nr 1.

FOR500

Windows Forensic Analysis

Google Analytics (GA) has developed an extremely sophisticated methodology for tracking site visits, user activity, and paid search. Because GA is largely free,* it has a commanding share of the market, estimated at more than 80% of sites using traffic analysis and more than 50% of all sites.11 Information collection is reliant upon several different types of cookies that participating sites place on visitor’s systems:[21 utma: Unique visitors utxnb: Session tracking

utma: Session status (deprecated) utmv: Custom values utmx: Website optimization utmz: Traffic sources The utma, utmb, and utmz cookies are of particular interest to forensic investigators because they give us a granular look at a user’s behavior on a given domain. In the example on this slide, we see several of these cookies saved in the Firefox cookies.sqlite database. The cookie name is followed by the value, which is followed by the issuing domain. Keep in mind that each GA cookie will be stored by the browser for a specific domain. In this example, we see GA cookies for forensicmethods.com, readitlaterlist.com, and wired.com. *Sites with more than 5 million page views per month must have a Google Ad Words account to use the free version of analytics References [1] http://w3techs.com!technologies/details/ta-googleanalytics/alI/all [2] http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html

©2017 Rob Lee

157

‘5?

$jjji SQLite Manager C\Users\chad\AppData\Roarning\Mozi11a\FIrefox\Proffles\4yfrs1Ov defau1\cookiessq1ite

Gecko 1002

Exdustve

Number of files en selected directory 1%

45283507 .17679%2989.1323133445i330749061 i3309950773 1177392422.48442%7181330733793133073379313307337931 238032518i74434945013309808771330g8087713309g48543 145283507i .101330995077 1238032518110a3309948%4 145283so7i3%o9950%%5autmcsr=googleutmccn=(organic)utmcmd=organicjutmctnt%22tiibury%22

Structure Browse & Search Execute SQL I 08 Settings _utma

• _utma _utrna • _utmb utmb utnu SQLtte 327 1

wiredcorn

I Sorensicrnethods.com I seaditlaterlistcorn

Jorensicmethodscom siiredcom

I Sorensecmethods4com

ci)

0 -J 0 0

©

0 (N

Wi

Cookie Name:

tma

• Used to report on unique visitors

• Timestamps in UNIX epoch time (# of seconds since Jan

3

193555748 131007452%

1321585664 1322622200

5

L

1, 1970

UTC)

aai

Visitor identifier Coolde creation time

(7/7/11 21:35:2%)

Time of second most recent visit (n/i8/n 03:07:44) Time of most recent visit (11/30/11 03:03:20) Number of visits

DfIR

FQRSOO j Windows Forensic Ana /sis

9

The utma cookie collects unique visitor information for the issuing site. The cookie value appears unintelligible at first sight but with a little work can be deciphered into some useful infonnation. The example on this slide was a cookie issued by sans.org for the user chad on the local system. its value was 157178169.193555748.1310074522.1321585664.1322622200.5 Each element of the utma cookie is separated by a The first element is the unique domain hash, or identifier, A separate cookie is isstted for each participating domain or subdomain that the user visited. For example, you might see utma cookies for both sans.org and portal.sans.org. Each of these would be assigned a separate domain hash. This value turns out to not be particularly useful because we already know the issuing domain from the saved cookie information on the local system. “.“

The next element is the visitor identifier, which attempts to track activity from the same user every time the site is visited. This value is not useful for our purposes because we already know what local account visited the site based on the local user profile containing the browser artifacts. The next three elements of the utma cookie are a series of timestamps. These timestamps give us the cookie creation time, time of the most recent visit, and the visit preceding the most recent visit. Timestamps are stored in UNIX epoch time, and a tool such as Dcode.exe must be used to convert them to a human-readable format. The final element is the visit count. There has been some excellent work done in analyzing GA cookies. For example, Jon Nelson identified that the visit count is not incremented when the page is reloadedJ1l This makes the visit count one of the most accurate places to get a true indication of user activity. The utma cookie is set to expire after 2 years by default. Keep in mind that only sites using Google Analytics issue these cookies. Individual site configurations can greatly affect the number and types of Google Analytics cookies issued. Reference [1] http://www.forensicmag.com/articles/20 12/02/google-analytics-cookies-and-forensic-implications ©2017 Rob Lee

159

Cookie Name:

u tinb

• User session tracking • Timestamps in UNIX epoch time (# of seconds since Jan • Should be deleted after session close but often persists

105588432

J

8 10

131026059%

1, 1970

UTC)

Domain hash (unique across all domains) Page views in current session Outbound link clicks (decrements from io,with io = o clicks) Time current session started (page viewed or reloaded)

UFIR

FORSOO

}

Windows ForenskAnalysis

utxnb cookie is used to track individual user sessions. It should be deleted after the session closes but The often persists in the browser cookie collection. A utnth cookie expires after 30 minutes of inactivity. Each additional page view on the site resets the 30-minute expiration.[’] utnib. The domain hash identifier should match the domain hashes on Only a few values are stored within utma cookie, this information is largely other cookies for the same domain/subdomain. Similar to the superfluous because the browser already records from what domain a cookie originated.

The page views element is interesting because it can tell us how much interactivity a user had during the session. On this slide, there were eight page views, indicating the user spent some time navigating to different parts of the site. The outbound clicks value tracks how many times the user followed a link to an external site. The value decrements by one with each link followed; a value of 10 means zero links were followed, whereas a value of zero means 10 external links were followed. This information can be used to gauge the level of interactivity the user had with the site. utnib cookie stores a timestamp in UNIX epoch time for the start of the session, This is another finally, the artifact to help examiners identify when a site was accessed and can be particularly useful if the browser history is unavailable. The session time updates if the page is reloaded.

Reference

[I] http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html

160

©2017 Rob Lee

6G

Cookie Name: Used for identifying traffic sources and navigation

6914%67

Jt update tin;e

(1/18/12 19:19:27 UTç_J

tf-

]ii;1ber ol different of visits (ea;npa;isi’1 used to ac aess site J SourceAdX’Vords cainpaig;; name types

utnwsr=google

utincmd organic Access metht)d (organic, retei’ral, cpc, 1 mail, direct) utmetrsans’h%Otorensics Keyword tised to find %ite (non.SSL only)

DHR

FOR500

Windows ForenskAnalyss

The final Google Analytics cookie of interest to digital forensics examiners is the utmz cookie. This cookie is used by Google to track where traffic originated from and how the site was discovered by the user. It stores the most information of our three cookies of interest but is more useful to the analytics software than to an investigation. If available, the utmctr value is the most useful information within the cookie. This value records the search

term used to find the site. A large number of search terms entered by the user can often be mined from

utmz cookies, but this information will normally only be available for “organic” searches from a website search portal or for cost-per-click, “cpc” paid search links. The utmcmd value records the source of the visit, In addition to the “organic” and “cpc” sources, utmcmd also tracks website “referral” links, “e-mail” campaign links, and “direct” access. Direct access can be particularly interesting because it indicates more user awareness of the site. Typical direct access methods include typing in the URL, accessing a bookmark, following a link in a document, or disabling referrers via security software. If a link were followed from a referral site, the domain of that referring site will be stored in the utmcsr value. In this slide, utmcsr recorded Google, the utmcmd value was organic, and utmctr stored “sans forensics”— indicating a Google search was conducted for the term “sans forensics,” If 3ing had been used, the utmcsr value would have reflected this. Similarly, if a user followed a link from a third-party site, that domain would have been recorded. The sum of this information can be helpful in identifying user behavior and intent. Note: Google Analytics made a recent change that does not record the keyword used (utmctr value) when the search was conducted using SSL (unless the search results in an Ad Words link being followed[2]); instead, it records “not provided.” Depending on what the cookie is referencing, you may see additional parameters. For example, utmcct refers to Campaign Content and can give more insight into the visit. An excellent cheat sheet of known parameters was written by Jay Taylor.[3]

©2017 Rob Lee

161

The utmz cookie has a 6-month expiration.1’] [1] hftp://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.htrnl [2] https://support.google.com/analytics!answer!1 033 173 [3] http://www.cheatography.com/jay-taylor/cheat-sheets/google-analytics-utrn-pararneters-v2/

162

©2017 Rob Lee

oht.r.incn

By Man DeGrazia • Parses

and

utmz

F

• Supports cookies from: • Internet Explorer

• Chrome

Th

Thdf

fe d F

R.

• Firefox • Safari

-

• Output in csv format .

DFIR

FORSOO

Windows ForensicAnalysis

Marl DeGrazia, a forensics practitioner from the United States, was inspired by the previous slides on Google Analytics and wrote a tool to automate the process. She released the tool as freeware and has continued to update It as browser databases (notably Firefox) continue to morph. [1] For all browsers except Firefox, simply point the Cookie Location field to the cookie file or folder within your mounted evidence and it outputs three .csv files: one each for utma, utmb, and utmz. Pay attention to the Browser Instructions dialog becatise it provides helpful reminders as to where cookies are stored for each browser. The process for Firefox is slightly different. In this case, you must open the cookies.sqlite database using the Firefox SQLite Manager plugin and export the moz cookies tables using the quotes disabled option. The resultant file can then be loaded into GA Cookie Cruncher and parsed similarly to the other browser types. Should you have issues with parsing data from a mounted image, a good workaround is to copy the files out of the image into a local working directory and point the tool there. Reference

[I] https://github.com/mdegrazialGoogle-Analytic-Cookie-Cruncher

©2017 Rob Lee

163

“

164

©2017 Rob Lee

NSDFIR

BICITAL FORENSICS E INCIDENT RESPONSE

Bonus Exercise 5.2 $QLite Database Analysis

F0R500

UFIR

I

Windows Forensic Analysis

This page intentionally left blank.

©2Ol7RobLee

165

• Allow user data to be stored in the local Flash app AppData Lral • Stored as .SOL files: 100KB or less: size of standard cookies • No expiration date

LOCCILOW

• 25X

Raamrng Mecromedia

flash Player

• Not browser-based • We can determine: r, Websites visited

SharedObjeds K6GNFVLV brn clear pnng om rnaiigoogle.corn

msntetseving-syscom

User account used to visit the site 3. When cookie was first and last accessed 4. Data stored by the site 2.

us.rng3maiLyahoocom I

m

wai,liveleakcom

FOR500

DFIR

C

I

Windows ForensicAnalysis

66

high Local Stored Objects (LSOs), or Flash Cookies, have become ubiquitous on most systems due to the extremely later that can information store to application web penetration of Flash applications across the Internet. LSOs allow a tend and cookie) 4KB a of size the times 25 to be accessed by that same application (or domain). They are larger (up but to be more persistent because they do not expire. In the past, it was difficult for users to clear Flash cookies, cleared.111 are cookies other when nearly all modern browsers now have the capability and clear LSOs Anything typically stored in a cookie (and more) can be stored in an LSO. Thus, we should expect to find the preferences, search terms, location information, visit frequency, and so on. In addition to this, we can also use existence of the cookie itself to give us the following information:121 •

°

166

Websites visited: • LSOs are stored hierarchically by domain. Thus, on the slide, we can surmise that the user account has both Gmail and Yahoo! Mail accounts. Flash-based advertisements also have the capability to save LSOs. This is important because in some cases we can’t necessarily conclude that it was the user’s intent to access the domain. The origin of the LSO is often obvious (that is, adsi .msn.corn), but testing or additional artifacts may be necessary to make definitive conclusions. User account used to visit the site: • LSOs are stored under a user profile, indicating that that specific account was used to visit the site. When cookie was created and last accessed: • Because cookies are stored as individual files, we can utilize the MACB timestamps of Windows to determine when that LSO was created and when it was last accessed. This at a minimum gives us a date range of known activity on that site.

©2017 Rob Lee

LSOs use the .SOL file extension and are stored as individual files. They can be found in many locations but are most commonly in the following folders. (%APPDATA% is equivalent to the %USERPROFILE%\Application Data folder.) Windows 7/Windows 8 %APPDATA%\Roarning\Macromedia\Flash Player\ %APPDATA%\Roaming\Macromedia\F lash Player\#$haredObjects\ %APPDATA%\Roaming\Macromedia\flash Player\macromedia.com\support\flashplayer\sys Windows XP %APPDATA%\Macromedia\Flash Player\ %APPDATA%\Macromedia\Flash Player\#SharedObjects\ %APPDATA%\Macromedia\Flash Player\macromedia.corn\support\flashplayer\sys References

1] http://blogs.msdn.com/b/ie/archive/2O1 I /05/03/deleting-flash-cookies-made-easier.aspx [2] http://blogs.sans.org/cornputer-forensics/2009/08/2$/flash-cookie-forensics/

AppData Local

LocaLo Roaming Macromedia Flath Pla%er

SharedObeds K6GNFVLV

bincIearspringcom maiLgcogie.com

msntestserving sysccm usmg3maiLyahoocom vIzLLccm

©2017 Rob Lee

167

File

Edit

View

Options

Created Time

Filename

URL

8;182C13 %:25:5, 813’2013 6:255 2/18/2213 %25:5,.

http,/secur&usimr crldide. ggCvarscl http:Ifsecure usimrwotldwide. ggCvarternpsol W http:f/sewreusimtworldwide gglviCvarjsol

d1”21DE2

Modified Time

File Size

File Path

0i82013 ó:25:5.

74

2/18/2013 625:5

72 218 %

Efrcot]T E:[rcct]’t E(root) I f[rrctji

ia 20/2013 10i5 ‘0 23 201’ 1G1

U

04

a

4/

/

I

octoshapeuserinfo

httpLfzcdnturnercom

uiyersion: String

4

=

4/

—

—

12/5/2013 3:07:5

65

10 5/2013 7;38:2

E%[root)31 v

6,7.OIO2

I

p.30 fiie),

NwSoft Freeware, httpPwwvirnrsoftnet

I Selected

FORSOO

OFIR

J

Windows ForensicAnalysis

NirSofi has released a tool for facilitating review of LSOs. It is called FlashCookiesView and similar to other NirSofi products, defaults to the live system but can be pointed to a mounted directoryJ’l To view flash cookies Select Base Cookies Folder, and browse to the LSO folder within your mounted from an image, select Options image. —

The columns displayed correspond to the data fields stored in the LSO: •

URL: Issuing URL

•

Filename: Name of LSO file

•

Created Time: Time LSO was created on local system

•

Modified Time: Last update of LSO File Size: Size of LSO (up to 100k) File Path: Full path of LSO

Refece [1] http://www.nirsofl.net/utils/flashcookies view.html

168

©2017 Rob Lee

> —

—‘

LU

U)

a

r Z 4*1 ;t:Jf I4 4t 4*1 3*1 o o o ori)I 0 o o o orq 0 1 L Li Li. Li. 4*1

iv

LU

Li)

U) *)

C

w

n i’n iv LU

t

r-.

Q t-.

a)

z*-

ej

ill

rj&.efl

:

:

0 C

in

.

iv

,.

nJ

j= ‘ 1t iv

en

..

r en

r

en

en

CY

(7

..

C)

en

1ts

4*1

0)

4’—

0

e

en

en1 r-aaen 0iive nJ%0

—

a)

en

C

v

e

2

cS cSic5

a

r

iflLflinifl*J4f) 4J

C ijZ :0

0

tflininibcS r\Jr)enrt%o 1,)

en C)

Q en r—

0

10

iuwlrn

en 0

, Li; .U orjo

r

rnjIrn

iv

ct:*:a)fs Li

en

en

Li

—

0 vi

-

:

,t

0

ci r_

C

U..

‘a

iv

c iv r U..

en

en

A”—

—

—

-.

U,

vj

I

0

0Ct

iv

Cei iv Li) t•f;gj ‘a

Li.

i

-

:1’a

ijO-r .*1r*rj Li .ci. 20 cy ci I

ci ci

cY I:b 0

‘—s. Ui

--C

0 1

cc -Li

-ir

iv *0 *0 1-

t...

i...

Li7

0r

E

00

mC)).

U.

AAo

C

cc

c:7’4

vi

*71

c nr j*1b

0

-en -C

-

nSt-(l

‘a DI

*71

C .

iv

Lfl *1

DI iv

J

1) i*

‘a

‘:

*0

X

C C

in

0

.—i MJ

‘—1

A

..

,q—

:0

1%

a

-ar x

‘3 U)

—

*

1

*4

a

.4*1

4*1

4*1

.4*1

.

4*1

0

i I

©2017 Rob Lee

169

• Up to loMB of local storage space per domain, per user: Preferences, keywords, visit tracking, usernames, offline files • No expiration and cleared along with cookies • Firefox: Located in webappstore2 sqlite database • IE / Edge: XML files in the DOMS tore folder • Chrome: SQLite files in Local Storage folder htp

TiLLE

hi

& &th Ewtt SL OD

tU

texom O.kciorqe

&rh

emT&

ThwAfl

Md

[)lc&

Twitter timelines viewed by the user in Chrome Local Storage

&t

qht mt

1556 1S71

1\4ZOO31OO3464QO d22OO35c4?616O{

IdHRNot2Fi%2 jXHRNQt;%2F%2

232

I

lX%BOO6DOOI

36L7 SQLIh, 3.B.O.2

ec 27.0

-

Exk,svr

Nurnbtr

fd,s

et,d

-

07

rttr, 0

FORSOO

OfIR

P3

31

Windows Forensic Ana’ysis

Web Storage, otherwise known as Document Object Model (DOM) Storage, is considered to be a “Super Cookie” in that it provides similar benefits to traditional cookies but greatly expands their capabilities. It is part of the HTML5 specification, and all modern browsers support it. (Safari and Firefox were early adopters.)l, 2 As web applications have become more feature rich and client-side scripting interacts more with data on the local file system, a means to store large amounts of data that can be persistent between individual sessions is needed. Web Storage fills that need but is not well known outside of the web development community. From a forensic perspective, there is a great potential to recover useful artifacts. Each domain can use up to 10MB of disk space to store data on the local system. No specification or requirements exist for data formats, obfuscation, encryption, and so on. However, similar to cookies, all data must be in text format. Thus, data is largely stored in XML and Web-SQL databases. Some sites have been known to store binary data as encoded in Base64 or as Blob types within SQL databases, Data within Web Storage does not expire; although individual applications can choose to prune data. A close cousin to Local Storage is browser fileSystem storage, also part of the HTML5 specification. This API allows persistent storage of binaries (images, native documents, and more) instead of only text. Adoption and use of this feature have been limited. In this slide, we see a Google Chrome Local Storage file for Twitter.com. Among other entries in the SQLite database are notes showing several different Twitter user timelines have been viewed by this user.

170

©2017 Rob Lee

‘7°

Internet Explorer In IE, Web Storage is stored in .XML files under the following directories. Although data can be read directly from the .XML files, it is not always possible to ascertain context (that is, what site they are from) from the files. DOM Store is set up in a similar fashion to the IE Cache. The WebCacheV* dat file (index. dat in IE$/9) manages the DOMStore filenames and the owning sites. It includes creation and the last access timestamps for Web Storage artifacts. .

Windows 7/Windows $ %USERPROFILE%\AppData\Local\Microsoft\Internet Explorer\DOMStore WindowsXP %USERPROFILE%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore Firefox Firefox saves its Web Storage files in an SQLite database named webappstore2 sqlite. Table columns include the scope (associated domain), the key name, the originating site, and the Web Storage value. .

Web Storage can be cleared by the user from within the browser. It is cleared with the clearing of traditional cookies. In Firefox, the user must select the time range of “Everything” to clear Web Storage.[31 The HTML5 Local Storage Explorer Add-On for F irefox is an excellent tool for getting familiar with Web Storage in that browser. Google Chrome In Google Chrome, web storage is saved in the Local Storage folder within the user profile. Data for each site is stored in individual .SQLite databases. A sample web storage filename for Chrome is http bits .blogs .bytimes comO locaistorage References

[I] http://en.wikipedia.org/wiki/DOM storage [2] Introduction to Web Storage

https://technet.microsofi.com/en-us/library/bgl 42799.aspx https://develo [3] per.mozilla.org/en/DOM/Storage [4] https://addons.mozilla.org/en-US/firefox/addon/foundstone-html5-local-storage/

©2Ol7RobLee

171

3$fl

a

—.1 NJ

7S 1

I

r

I

I

3 t

4

3T

3!ldc,

finN

rw%

fi%

•wvivrIi,yrrir

:0100

01 00 90 % 0

IA)

‘1

3N

III d?

ir

9 to

•MOt$

1

C!

4

6

A

n

to /r

—

np PP

‘°%‘JY

404)

j

—

Mi

H

j

Cn%

nqwt N

3° IUHX

141 j%JO

n

4

n

I

I

apnpx

CnN

‘3

m m

0

n

I’

Lid.

‘.‘.

—

L -qj

(o

øPna

— 7 tO WE a3fl() wnnwnwn

4’ )

Fde

View

Mode

z.

T’, ‘-F:

ti

—

,i

1 ii

,O.J?l.

F qi

°i

2160’ SPMn Docsx rns)son Paradit,o -buciness

-

{‘Ro.;

[{

‘ID

O’,”I ii -Norn& :“C

ale

plun.doLx’, “C inktocation”:”https: \u0021\uoo2tasgardventurecapital my sharepoint corn \uO02tperconal\uOo2fdblake acqard venture ptaI om\u fDoc wntc\u )021 Per .t so t:w,mocs Jç ) me “‘ ii dc c x”,’ F .: t (1 1 I i in ‘ uf)021 n qei ut 02h c.oc x.pt f “i, ‘1”’ 1 -Nor t’ Ca business plan.do x” “C inki ocation”:’https:\uOO2f\uooIfasqardventurE’c apitaLsharepoint.com \uO( Dotumeuts\u002fBucines’ Plans\uOOifCafe Paradiso buness plon.docx ‘Application”-’Word”,’IsPim ed”:”F-,mlse’ ,“I< onUr1””\u002f Iayouts\u007f15 \ mOO2Or !Jes\u 021k c t x.pi ‘] ,{‘ “-“2” if ‘Nan e’ Tir. in b rs.> Isx’ “C mkl c on’.l tips rdve ur c; 21\uO )2fc 1 .ch re nint cmin\tiOOl per’. aI\uOfl)fdhf k actja I -ye m’-ur c

I

i

i-wit

-

.‘

‘-

‘,

“

-

-

1-wi I-

c-mpital corn\u002fDoc.urnentt\u002rTire City Nurnbers.xlsx”,’ AppIication””Excel”,’ IsPinned”: ‘Ealce”/’IconUrl”:”\uOO2t Iayouts\u0021

FQR500

WI dowc rorer-i An-ti>sis

In IE and Edge, Web Storage is stored in .XML files under the following directories. While data can be read directly from the .XML files themselves, it is not always possible to ascertain context (that is, what site they are from) from the files. DOMStore is set up in a similar fashion to the cache. The WebCacheV* dat file (index dat in 1E8/9) manages the DOMStore filenames and the owning sites. It includes creation and last access timestamps for Web Storage artifacts. .

.

Windows 7 / Windows $ %USERPROFILE%\AppData\Local\Microsoft\Internet Explorer\DOMStore (lE) %USERPROFILE%\AppData\Local\Packages\microsoft .microsof tedge \AC\#! 00 1\MicrosoftEdge\User\Default\DOMStore (Edge)

Windows XP %USERPROFILE%\Local $ettings\Applieation Data\Microsoft\Internet Explorer\DOMStore (IE)

In this example, we see the contents of a .XML file stored for the “My SharePoint” application. This particular document was found first via analysis of the user’s WebCacheV*.dat file. As seen on the slide, the contents of this file could be relevant to our case as we see the “SPMruDocsltemsJson” item contains references to files accessed via the SharePoint application. Recall that DOM Store is stored for each user account so we can tie this file access back to a specific user as well.

©2017 Rob Lee

173

C

*

r a c:j .0

&#fl

-t

I”

r

0c .::.

—

‘C

n t

z

-

I

174

2O17 Rob Lee

annoattrthuteid 7 110W hU’g( was the downh ad.? [Was the download successful?

anno_attributeid 9 ( fileSize) anno_attribute_id 9 f state)__]

Firefox 26+: pkces.sqlite Firefox 3—25: downloads.sqlite • The default download directory is the user’s downloads folder • If the user changes the default, it is set in prefs j s file .

DHR

FORSOO

Windows Forensic Analysis

I

Firefox has a built-in download manager application that keeps a history of every file download by the user. This browser artifact can provide excellent information about what sites a user has been visiting and what kinds of files they have been downloading from them. It is not unheard of to find download histories of hundreds or more files. Downloads occur frequently while browsing, and many users do not pay attention to the history being kept or in some cases, where the files are actually being downloaded to. Imagine having an investigation into a system administrator suspected of running hacking tools on the corporate intranet. If a review of his Firefox download history indicates hacking tools were downloaded, yott have taken a giant step toward solving your case. Starting with Firefox version 26, Mozilla made significant changes to how download history was recorded. Prior to version 26, download history was stored in a standalone database named downloads sqlite. That database has now been deprecated and download history is now stored directly in the places sqlite database. This makes our lives more difficult and we lost some granularity of information in the transition, but luckily most of what we might want is still recorded. The moz annos table now records download metadata and each download will have multiple entries, tied together by their place id. Anno attribute id 7 records the location the file was saved to, annoattributeid 8 records the filename, and anno attribute Id 9 records whether the download was successful (state 1), the time the download ended (in PRTIme), and the final file size in bytes. To determine where the file was downloaded from, cross reference the place id value with the moz,,places table for the full URL. .

.

The default download location is often updated by the user and is stored in the prefs. js file within the Firefox profile folder. Specifically, within this text file the field browser. download, dir holds the user specified directory. (If it doesn’t exist, then the default was not changed.) The value will look like this: useryref (“browser .download. dir”, Settings\\Administrator\\Downloads”);

“C: \\Documents and

You may also notice an additional preference set named browser, download. lastdir. This option shows the download location last chosen by the user (if no default is set). ©2017 Rob Lee

175

‘7

Firefox 3—25

What was the file ‘pe? : t. fl . Jr * d. nOb.: What was the referring page? h.r’ trfi ca J2

mimeType ç

-

What application was used to open the file? dii The 1o”nloi st-rt? When did the download end? ow ira w thE cjovnlo 1?

referrer

tqc preferredApplication

ta tTie endTime

!na’3ytPs

staft

Was the download successful?

The download histoiy is kept within an SQLite database named downloads sqlite. The download history tells us the name of the file downloaded, the URL it was downloaded from, where the file was saved, what application was used to open it, when the file was downloaded, and importantly, whether the download was successful. Firefox also reports on the file type that was downloaded as well as what the referring site was that provided the link for the download (particularly useful if the file is located on a different domain than where its link is). .

There have not been many tools written to parse firefox download history, though Nir$oft has one named FirefoxDownloadsView. [1] Even without a dedicated tool, it is straightforward to parse the SQLite database manually, using a tool like the Firefox SQLite Manager plug-in (covered in a separate slide). If you do a manual review, remember that most times in firefox (including downloads sqlite) are stored in PRTIME format. .

Users often download files and either forget that they downloaded them, or can’t find where their default download directory is located. Identifying where the default download directory is located and reviewing its content can be helpful to an investigation. The default download directory in Firefox is %USERPROFILE%\Downloads\

176

©2017 Rob Lee

Firefox 1.5/2

The download history is kept in a text/XML file named downloads rdf in Firefox 2J21 .

What was

ti

file type?

Where was the file downloaded from?

URL

What wa the referring page Where was the file saved?

N/A

app

\,vii_d

File

the file?

N/A

did

How large was the download? Was the download successft l?

N/A

DownloadState

Parsing the XML in this file is relatively easy to review within a text editor. Keep in mind that downloads rdf keeps time information in local machine time. .

[1] hftp ://www.nirsofi.net/uti ls/firefox_downl oads view .htm I [2] http://kb.mozillazine.org/Downloads.rdf

©2017 Rob Lee

177

What was the file name? Where was the file downloaded from? Where was the file saved? When did the download end? How large was the download? Was the. download successful? Search

an no_attribute_i d content

TABLE mozannos

place_id

anno attribute id 8

place_id (ref. moz places)

(endTime)

anno attribute id 7 annoattributeid 9

(state)

annoattributeid 9 (filesize) annoattrthuteid 9 ShowA!l

1vebbrowserpassview(1).zip

jfiie:11/c:iuse rs,1za n sforensic s408/D c:vtinl oa d s/webbro’øvs e rpa ssview(1 ) .zip

18

${“state” :1,”endTirne”:140539541 5673,”file Size’t:230085 }

1

54

1

.54

.54

a)

a) -J

C

n

N-

0

©

N-

h’’

hd

.

Imq.

[iz

.

E

• .ccitc.t-

T H

•i ..t

t t 1

7t 3

t.1

S

a

415

Ci/’/ /J r

i

i

Hmr P* L

r -n tK

.1, ndTm

4O’D

deS

}

nlo..a.,

.

Shrd

•r,4

4”:ii

,.,

mtrPDF 2.52 rll

t

1e336St

nl

.qtZ

un.t PDF 2. 2

SQUte 3.8.3.1

--

.r

r

}

t1

d lt..e. h&.gMi

DFIR

FOR500

Windowc Foren ,ic Anal ‘ss

•9

Investigating the Firefox download history gives us a good opportunity to present a useful tool in understanding the F irefox SQL1te database format. SQLite Manager is a plugin that can be downloaded and installed within the Firefox browserJ11 When installed, it is accessed via the right-side pull-down menu. (You may need to select Customize to add it to your F irefox menu.) Upon execution, it opens up a new window similar to the one displayed on this slide. SQLite manager allows us to interact with any SQLite database, including the ones utilized by Firefox and Google Chrome. We can see on the slide that we have opened the places sqilte file and have access to all the tables and fields within that database. This view is contrasted with what the user sees within the firefox download manager, and we see that the data matches in both, with the places. sqlite providing similar information about the download history. .

When investigating download history, a good place to start is the moz annos table within places sqlite. This provides the filename, save location, time (when the download ended) and file size information. One field in the mozannos table worth expounding on is the state field. This field tells us if the download is successful. The following key translates state values into download results: .

1 2 3 4

=

=

Successful download Error occurred during download; aborted Download cancelled Download paused

The only information missing from this table is where the file was downloaded from. To get this information it is necessary to take the place id field and find it within the mozplaces table. This table records visited URLs (including the time and day they were visited). You see that downloads in the mozplaces will be tagged as Type 7, meaning a download was attempted. Reference

[1] https://addons.rnozilla.org/en-US/firefox/addon/5$ 17

©2017 Rob Lee

179

D

4 !. 4 4 jw

Co

;;

;

3

‘.3

N

1N

N

N

N

1N

(N

t4

1N

.33

—

r

>




—

Tab information for session that was live during last Firefox update

In older versions of Firefox, examiners may also find a file named sessionstore bak. This file contains a previous copy of the sessions tore. is file and can be parsed in exactly the same manner. .

Although there are few open-source options to parse this data, there is some commercial tool support and the good news is that the format is text-based and easy to parse. A JSON editor can make the format much more understandable. Reference [I] http://kb.mozillazine.org/Session Restore [2j https://wiki.mozilla.org/Session Restore

186

©2017 Rob Lee

• Firefox makes it simple to auto-clear browser artifacts • Preferences stored in prefs j $ file .

c, cV4 Ht r

n.

& erch H r

zc Pcf rwe

-

zz,N[, r

-

-.

.

ii

ivy

.

-‘‘r

‘p 1’c’ “i’’.

-

S.mtdu. co:is, Jt :n.nrdt;’”

s

.

t.

.-

f

fl

1 ; .

i.:.. :‘t-, t’ pri’.y. caniti. ci.i I SfttdC,-.fl”, true) -

.1F

fl!Ef’’

DFIR

FORSOO

I

Windows ForensicAnalysis

The Privacy tab located within the Options menu item in Firefox provides several options for users to customize how their data is stored within Firefox. We see in the slide that history data is currently set to the default, 90 days. Setting this to zero or unchecking the box would effectively prevent history information from being recorded. The same goes for auto-complete information and download history located in that same section. Starting with Firefox 4, this option was removed and FF now automatically determines how much history to store based on system speed and the amount of memory. This could lead to even more history information being stored by the browser. Within the Private Data section in the Privacy tab is the option to clear private data whenever the browser is closed. This option can seriously impact the amount of data located within browser artifact files, When this option is selected, users can select exactly what will be cleared and what remains. The options and what Firefox files they affect follow: • • • • • • • •

Browsing History: Clears the history information and location bar auto-complete information (history.dat / places.sqlite) Download History: Clears the history data in the download manager (downloads.rdf/places.sqlite) Saved Form and Search History: Clears form data autocomplete and the search bar autocomplete (fomihistoiy.dat/formhistory.sqlite) Cache: Deletes all cache files in the cache directory Cookies: Removes all saved cookies (cookies.txt/cookies.sqlite) Ofifine Website Data: Deletes all cache files within the offline cache directory Saved Passwords: Clears all data saved in the Password Manager application (signons2.txt/signons3.txt) Authenticated Sessions: Deletes all session cookies from memory

Any selections made within this tab will be stored in the users’ prefs js file within their profile folder.11 .

Reference

[1] http://kb.mozillazine.org/Category:Security and privacy-related preferences

©2017 Rob Lee

187

General

Tabs

Content

Apptcaticns

Privacy Security

Sync

Advanced

5eytsngs.

Help

Let:9Cs for Cistvo

cookies

When I quit Firefo; it should automatically clear all: History Active ogins I Qche

Qffline Website Data

DcwnThemAlfl

fleip

history & queue Cance

user_pref(”pnivacy. clearDnShutdown .forrndata”, false);

user preP (“privacy. clearOnShutdoiun cookies”, false);

OK

ite Preferences

Saved Passwords

Oata

Ecrni & Search History

Qownload History

4 frowslng History

£xcepbons..

it Tell web sites I do not went to be tracked

Trackmg

Ueecustoni setbngsfor history

Cancel

li

thow Cookies

I

earsa

History Sirefox wilL Lermanent Priacte Browsog mode Remember my browsing h!stow I Remember download histoN I Remember search and torm histcn’

5ccept cookies from sites

they esput

I Acept thirdparty cookies

teep untiL

History end Bookmarks

it Clear history when Firetox doses Location Bar When using the locabon bar, suggest

OK

user_pref( “privacy. clearOnShutdown. sessions”, false); userpref(fr*privacy. sanitize .migrateFx3Prefs”, true); user_pref(” privacy. sanitize. sanitizeOnShutdown”, true);

a)

0

-o

0) -J

N

I

0

©

GD GD

n

r

H

ES t

t

CookieSwap createdbyStaeTyc

M

XSS Me created by Secubty C0mp2ss

User Agent Switcher

• FiackBar P P 0 X

DFIR

ORSOD

I

Wrdows Forens Analy 1

Extensions, or plugins, are one of the key items that have fueled the adoption of Firefox. There are thousands of third-party applications that can be loaded into F irefox to build upon its functionality. We have already covered one such plugin, SQLite Manager. Knowing what extensions have been loaded by a user may be of use to an investigator. One example would be if an application such as Add N Edit Cookies is present, which enables users to intercept and manipulate cookies passed to websites. An application such as Firebug could be an indication that a user is interested in web application hacking (or maybe just a web developer). Cataloging a user’s extensions is an additional way that an investigator can profile the usage of the person they are investigating.

©2017 Rob Lee

189

189

• Extensions are applications that can be downloaded by a user to extend the functionality of firefox: Can give information about how browser was used or where to look for additional browser artifacts id*

What extensions were installed?

Version sourceURl ins tailDate

What version of extension? Extension information page? When was the extension installed? When was the extension last upthted? Was the extension enabled?

updateDate active

id should he cross-referenced with addons.sqlite

*

FORSOO I Windows ForenskAnalysis

DEIR

Starting with Firefox 4, extension information is stored in an SQLite database.[1] Similar to what occurred with other Firefox artifacts, this move resulted in even more information being stored, giving us new artifacts like install date and update date, and whether the extension was enabled. A majority of the useful information is stored within extensions. sqlite, but investigators should note that addons sqlite should also be referenced. Addons. sqlite has more a human-readable extension name and description information. The id value maps .

extensions sqlite entries with those in addons sqlite. .

.

Firefox 1.5—3

Through Firefox version 3, extensions rdf was used as a global list of all extensions installed for that Firefox profile.12] In addition, each installed extension is required to have a file named install rdf, typically located in the extensions directory in the user’s Firefox profile.[3] The information contained in both files is identical and is kept in XML format, making the files easy to review within a text editor, When an extension is removed (uninstalled), the install rdf file is deleted and the entries within the extensions rdf are removed. .

.

.

.

What extensions were installed? What version of extension? Extension information page? When was the extension installed? When was the extension last updated?

version

homepageuRL N/A

N/A N/A

Was the extension enabled?

190

name

©2017 Rob Lee

9Q

The extensions rdf file can provide several pieces of information that can make an analysis of the installed plugins easier .

Name: The registered name for the extension (can be used to perform Internet searches to learn more) Version: The installed version number of the extension HomepageURL: The home page for the extension (if it exists) References

[1] http://kb.mozilIazine.org/Unable to install hernes or extensions-firefox [2] http://kb.mozillazine.org/Uninstallingextensions [3] http://kb.mozillazine.org/lnstall.rdf

©2017 Rob Lee

191

Identify Firefox version and profile locations

1.

a) Recall that both local and roaming folders are used b) Identify how many Firefox profiles are present for the user c) Check FF privacy preferences if SQLIIe files are small or missing

2. Review browser arl:ifacts, starting with history a) b) c) d)

Use specialized parsing tools to parse key browser artifacts Each artifact can answer questions in a slightly different way Do not be afraid to open $QLite databases! Consider carving for deleted records

3. Record/export elev’ nt information and files FOPS

U fl

Vir..

o

.

si

n

‘

is

There are a lot of moving pieces that make up the Firefox browser, but our analysis strategy is straightforward. Our first step is to confirm that Firefox is installed on the system we are reviewing and determine where in the directory structure its key artifact files are located. When found, a quick look for file extensions (.dat versus .sqlite) tells the investigator what major version of the browser they will be analyzing. Luckily, Firefox keeps all its files in one place (actually, two places if you recall that the cache is in the %AppData%\Local folder). Recall that Firefox has Profiles folders in two locations for each user: one in the local folder and one in the roaming folder. Users can have multiple Firefox profiles, and each will be located under the Profiles folder, After the folders are identified, take a quick look to ensure you have all files that you expect. If files are missing or appear small in size, the user could be deleting browser data using privacy settings, mantially deleting files, or simply not using Firefox. When conducting browser artifact analysis, a good rule of thumb is to start with the browser history file. This should give the investigator a good overview of Internet activity on the system. Each additional artifact reviewed should build upon this foundation and continue to flesh out the user activity profile. Remember that some artifacts may keep data longer than others, and some may be regularly cleared by the user. The breadth of information provided by the available artifacts frequently gives more than one way to prove Internet activity. Finally, keep good notes and save or export any relevant findings from the analysis. On frequently used systems, the amount of data found within browser artifacts can be enormous. It is important to take detailed notes and export data as you go because you will likely be using an iterative process and returning to browser data files as you discover key findings. Most forensic tools, including the NirSoft tools introduced here, have a means to select relevant data and save it to an external file.

192

©2017 Rob Lee

9

_CACHE

10/17/2013 9:21:21,,, 10/17 ‘01’ 9:21:30,.,

LVIJ

10/1W2013 9:20:32,..

10/17/2013 917:46,., 1017/2013 9:19:40.,, 1041712013 9:20:25,,.

Server Last Modified

V

A

Ii

C • Renders HTML pages and intercepts image requests: If image exists in cache, it is included • Available for Chrome, IEio+, and Firefox

• Uses only data available in cache:

i

Fe:,Jr F

I46

I Y9 iciirs Hume

I

• Does not access Internet

• NetAnalysis and IEf can also rebuild pages

ci

j

it

c.

1’

N& £rr,w:r

frex

--

ee

Reference Oueeton

What does Disk Defragmenter Cleanup exactly DO?

r wtcenecnctteareceuk

Tunezoner

UtC

http://www.forensicsoftwa;e.co.uk/FreeToo1s.aspx

DF11. A relatively niche capability of some browser forensic tools is web page rebuilding. To accomplish this, the tool scours the browser cache to rebuild HTML pages, including any component parts still available in the cache. As we have talked about, the cache is an imperfect collection of where a user has been, but when the proper components exist, the results can be a near-complete view of what a page looked like when it was visited. In fact, you often find versions of pages that no longer exist on the actual sites (caused by the current site changing since it was last cached by the browser). Seeing the page as the user once did can be a compelling piece of evidence. Most tools with this feature are commercial, including NetAnalysis and Internet Evidence Finder, but foxton recently released a free version of their commercial Browser History Examiner tool that can perform web page rebuilding, as shown on this slide.[’] The tool pulls history data and can reconstruct pages from Google Chrome, firefox (both old and cache version 2), and lEl 0+. Some notes on Browser History Viewer: It should be run as administrator and some previous versions had issues running against mounted images. (One workaround is to mount as Read/Write in FTK Imager.) It does not show the complete copy of the cache, only images and those components found to match rebuilt pages are displayed. Reference

[I]

206

http ://www.forensic-sofiware.co.uk!FreeTools.aspx

©2017 Rob Lee

CD CD

r

0 0

-4

0

0 NJ

I

I

Cptkns

Fhter Feip

URL

Mad -

rute

News

wv;wSotenslcsoftwareco.uk

I categories

Actl\4ties

iswers Home

YAHOO! ANSWI RS

Home -

>

rfvzare

Finance

>

Games

Grout

P/I 117 records

=

Weather

11

Reference Question

-

Viewfr’%

hiteretBflr

Mi

Fl

A

Time zone: UTC

>

What does Disk Defragmenter Cleanup exactly DO?

Intstnet

Sports

Page2o’23

43117

r” F:

9/I0/2C#3Ci :595 http’asebecom!2O13/O%/3CAc I

ET:W

Firefox

Fetch FUe Size Web Browser 45669

I

3

DC/I W20% 22:07 %i hhp://esonqacomf

Last Fetched

Webste istory Cached mages EE&ea web Pages

Fie

II

i

1!

History • Visited sites Search engine typing (keyword search terms) Web Data • Items typed into web forms Shortcuts • What was typed into “Omnibox” Network Action Predictor • Items prefetched and triggered by typing FORSOO j Windows Forensic AnalysIs

DfIR

It is remarkable just how many databases and tables in Chrome are dedicated to recording what a user has typed. In our discussion of Internet Explorer, we covered Typed URLS but Chrome takes things to another level. We previously saw the History database and the keyword_search_terms table recording items typed into various search engines. (I wonder why Google cares about that?) The Web Data SQLite database contains autofihl information for web forms, including separate tables for emails, names, phones, credit cards, and logins. The Shortcuts SQLite database can contain a wealth of information because it records what was typed in the Chrome URL address bar (Omnibox). This is a core part of Chrome in that it is used to do everything from typing a URL directly to sending search terms to your search engine of choice. The Omnibox attempts to anticipate what a user is asking for and hence also records last access times and hit counts for sites visited using specific keywords. A final SQLite database, Network Action Predictor, is employed when the option to “Prefetch resources to load pages more quickly” is enabled. It records letter by letter what was typed, what was prefetched, and how often the browser was correct in anticipating what site the user ultimately was looking for, When available, it provides a fascinating look into how the browser was used. Keep in mind that if prefetching is turned on in the browser, items like cookies may be stored on the local system, even for pages never visited by the user. Thus, it is worth checking this database to determine the prefetching status and see what pages were actually visited (number of hits field) versus those not visited (number of misses field).

208

©2017 Rob Lee

205

• four database files comprise session/tab recovery • Current Session & Current Tabs • Last Session & Last Tabs

• AU four databases use SNS$ (session saver) format • few tools currently parse this format • Internet Evidence Finder • NetAnalysis • Strings (?) OFIR

FORSOO

-

Windows Forensic Analysis

Chrome records a wealth of data regarding the current and last browser sessions accomplished using the browser. This information is stored between four different databases: Current Session, Current Tabs, Last Session, and Last Tabs. These files facilitate recovery operations should the browser crash, in addition to user-facing features like undoing tab closure and viewing the most recently closed tabs (as seen in the graphic on this slide). Data is stored in SNSS format (also called session saver format). These databases can provide a lucrative place to reconstruct prior browser activity. They record tab contents and history, including URL, original URL (if redirected), referring page, page title, visit count, form data, and even page transition type. [‘1 The current session/tab data reflects some of the most recent activity in the browser. At certain trigger points, Chrome will flush current page and tab information into these files. The last session/tab databases are usually written when the browser was last closed, but there are some exceptions. Comments from the chromium codebase describe the process: [21 “SessionService is responsible for maintaining the state of open windows and tabs so that they can be restored at a later date. The state of the currently open browsers is referred to as the current session. SessionService supports restoring from the last session. The last session typically corresponds to the last run of the browser, but not always. For example, if the user has a tabbed browser and app window running, closes the tabbed browser, then creates a new tabbed browser the current session is made the last session and the cttrrent session reset. This is done to provide the illusion that app windows run in separate processes. Similar behavior occurs with incognito windows. SessionService itself maintains a set of SessionCommands that allow SessionService to rebuild the open state of the browser (as SessionWindow, SessionTab, and SerializedNavigationEntry). The commands are periodically flushed to SessionBackend and written to a file. Every so often SessionService rebuilds the contents of the file from the open state of the browser.”

©2017 Rob Lee

209

209

While there have been several open source projects created to parse the SNSS format, none currently have complete tools. Even commercial tools have only recently started to support the format. Two tools known to support SNSS parsing are 1EF and NetAnalysis. If all else fails, history and form information can be recovered via simple string searches of the files. Much of the SNSS format uses simple strings for storage. While this last resort option will not return rich metadata around findings like transition type and visit count, it is usually enough for an investigator to get a feel for whether it is worth digging deeper. [1] hftps://www.ccIgroupltd.com/chrome-session-and-tabsfiles-and-the-puzzle-of-the-pickle [2] https ://src chrorni urn. org/vi ewvc/chrome/trunk/src/chrorne/browser/sessions/session service. h .

210

©2017 Rob Lee

fl BE Report Vcewer

Recovered MIecie

t—’

Er

Stark

Ceart

Web R&ated Berweer ?dhrty

1

irtp

.

rote

4

cr r’.rr cc

1

..P1 ii

Dame AAoM Chrome Bookmarks

S Chrome Cache Recreda DtrermeCcoidee

x

53 0Tp

o-Lc

4

km r

/

zazvrrv

DFIR

FOR500

Wi dows Forensic Analysis

This example shows Chrome session recovery data as identified in Internet Evidence Finder. Note the identified artifacts from the session databases and the location of the database currently highlighted “Last Session.”

©2017 Rob Lee

211

2W

til iEFPoocrtLiu::cr Sedence

[:efajt Er:c:r;

Last Voted Date. T

Search USe

10:21 2013 bOOsts. NFLeom Cfhcrat Site

GoTo# #

httpwnfLcom:

19 27:2213 La 3911

Fantasy Fxrtbaft Free

Ttte

1 http

10 %V%013 100929

Count

2

http zwww nfl com 4a

1023201213 33:38

Reermered dedacts

134 3

http:fantasyr11 ccrn.

Chrorre AhofrI

BrcwserSictvrty

Wec Reated

20

4

www cr3 corn

25 C

5hzno BooKmarks

Go To Page

Showing recu!ts 1 £ .of 6

4557

i!Uhii

12 URL

Øt Chrocre Cookies r3 Dccc me Current Sesson 6

1337

Gnome Cache Records

/

f Gnome Corrent Tabs

Last Vrsited Date Trrne UTC) (MMdtFyvl,v)

13/20 2013 tO 02:45 PV

1%

not fourS

• rot fcur:cr

—

htCcurt

c:

1%

:
stringsexe “E:\[root]\Users\Donald\AppData\Local\

oogle\Chrome\User Data\Default\Last Session”

Strings v2.51 copyright (C) 19992O13 Mark Russinovich Sysinternals www5sysinternals. corn -

N5 P 3A0.. 4A4J

hi t

[.j

:flT

i. t

n:

I

•

Pii 3 :a.ta: t*.xt I —

t

p

.

h t13 http FL.corn ?DPti 3

B22tJ flAFDEP( 3[’2B6

.

ml cim orm-whda La nfl a t .

111

t.

irnr

h I

C Cl.

fltfiial

Site or the

iolal Fotball t rque

L P ii

tr

-

h tp \FL LOIb .

.

.

nf

0tH

c

-

a

‘l,r—

om al i

tt

of

he .at i onal Football leaque

DFIR

F0R500

Windows Forensic Analysic

In this example, we see strings from the same database parsed via IEF. While some important metadata is lost, URLs and page titles are clearly available. This output was created using the free Sysinternals “strings.exe” tool.

©2017 Rob Lee

213

213

Command P:cmpt stnngsexe EC[root’.Uset DonaidrpData Loca[Gccqc Crcmc Uaer Data Defau!t’ Lart Se;icn

—

9

\Forensi c Program Fl I es\command line tools>strl ngs.exe “E:\[root]\Users\Donald\AppData\Local

oogle\Chrome\User Data\Default\Last Session”

-

Strings v2.51 copyright Cc) 1999—2013 Mark Russinovich wwwsysinternalscorn Sysinternals SNSS 659F2E9A_F3A&AA4 &8220_OAFDEBcSD2B6

*

*

http: ,‘i’nf I corn,’ http: //nfl corn! http://nf 1 corn/ LP13

r

?BPQ-i3

-

-

Official Site of the National Football League

data: text/html , chromewebdata http: //www, nfl corn! Official Site of the National Football League NFL-corn http: //www. nfl corn/ http: I/nfl corn! NFL.corn ?DP@-i3

EP@i3

-

data: text/html , ch rornewebdata http: //mw. nfl corn/ Official Site of the National Football Leaque NFL.com

A

-g

©

C

CN

Chrome Sync ran save your bookmarks, history. passwords. and other settings securety to your GooCe Account arid allow you Ii re cuss Them truer Chrome on army devso Tr€ counts hetow represent all stored items sctudmng Prose not vrsibie me ChromeApps

Settmnas

Autotmil

mass

Omnibox History

souTh

The Preferences ifie shows synchronization status, last sync time, and artifacts selected to sync UFIR

FORSOO

I

Windows ForensicAnalysis

Chrome synchronization was an eagerly anticipated feature in the user community, particularly among Android users. Chrome attempts to turn on synchronization by default. (Users are given an option during installation.) These two factors lead to it being enabled on a large number of devices. Assuming synchronization is enabled, when a user signs into multiple devices with their Google account, artifacts are immediately collected and synced via cloud storage. Interestingly, artifacts can be copied to remote systems even if Chrome is not currently running. If you would like to investigate your currently synchronized data on a running instance of Chrome, visit chrome: //syncinterna1s/ in your browser. A great way to learn about synchronization is to install a fresh version of Chrome (or run Chrome from the command line with the --profile-directoiy=”NewProfile” option) within a virtual machine and sign in using your Google account. With a new profile, any data present will be due to synchronization, making it easy to identify synchronized artifacts present in the Chrome database files,

©2017 Rob Lee

215

2$

I he ( hmme PrerereflOeS Ii Ic SIlL LU Id he ft’ViC ed (ti delerm JUL’ ii nehFLIU I/HI IOU IS L’UahtCd. 1 ktaiise s nctlroni/.ed de iceN. I he pie terenees are also svneed si nu tar in lormation shI.luld he pI•esent on all 1)1’ opt ions which mci udes granular Preferences tile is in i S( )N lonuat. I .ook kw the sync’’ cot led ion Ii L 11 LI LIII it d 1 1 I 00 IlidI ta.inc io_ I, III [hI I ast II UI It I I y flCO( ILh 111111 ns pt 0.1111 liii tile lolki 5. ilL’ aillilie .-c e1 Ii_Iii1ZIIlai/ett ‘

216

It)2Q17Roh[ee

II)

What Is Synced?

What Is Not Synced?

• History

• Download History • Cookies

visit_count, typed count, last visit time

keyword search terms

• Bookmarks • Preferences • Extensions

• Shortcuts (Omnibox typed) • Network Action Predictor

• Passwords (encrypted)

• Tabs?

• Web Data (auto-complete) • Top Sites (+Thumbnails)

DFIR

FOR500

Wirdows F rensi Analysis

The big question is what does Chrome synchronize? And the answer is a lot! The full 90 days of history information is synchronized between Chrome instances; although, some information such as referrer (from visit) and visit_duration is lost in the transfer and some visits entries with particular page transition types may not be copied. (visit count, typed count, and last visit time are copied.) Depending on user choice, bookmarks, preferences, extensions, passwords, auto-complete, and Top Sites plus corresponding thumbnails are all potentially shared among synchronized browsers. Several important artifacts are not currently synchronized. Download history, cookies, keywords typed into search engines (keyword search terms), keywords typed into the Omnibox (Shortcuts database) and prefetched data analytics (Network Action Predictor) are all kept oniy locally. Although Tabs present on remote systems are definitely available for view between synced Chrome browsers, it is unknown whether the Tab data is proactively synced to the local system’s databases. More research must be done here.

©2017 Rob Lee

217

217

I ru r ThLiE (1)

1

‘

;uu

—

0 Foreign

keyto

I

Qrigiiof

s

IL

Jo Jo

visit cuurc.

User

3

firefox Import

4

11 1;

5

Safari Impoil

Brmvsed

.‘,

)‘fl”fltI.

4

1

Pt

ri

• The visit source table identifies synced history entries via the source field to synced to local) c s a e o e dffc it disc Ot e s ce a DFIR

FORSOO

J

Windows ForensicAnalysis

218

Synchronized data can complicate our analysis by making it difficult to determine if relevant artifacts were created on the local system or copied from elsewhere. Luckily, Chrome makes it easy to determine what history information was synced (copied from a remote Chrome instance). The secret to ttnlocking this information is in the visit source table. This simple table has a foreign key named id and a corresponding source field. The id field in g visit_source references the id field in the visits table, providing origination information for the correspondin originated:[’l entry the where from us tells source in present entry. As shown on the slide, the value Source 0: Visits synchronized from other remote Chrome instances Source 1: Visits caused through local user activity (believed to be unused)

Source 2: Visits spawned via a Chrome extension (no user interaction) Source 3: Data imported from Firefox SrccA: Data imported from Internet Explorer Source 5: Data imported from Safari Note that the visit_source table will not reference every id in the visits table, This is because any visits that occurred locally (by user behavior on that particular system) will not be recorded in the visit_source table. Technically, these visits would be source type 1, but they are specifically not written to the table for efficiency purposes. Thus, the visit_source table will record only information for entries that were brought into the browser from elsewhere, which is exactly what we would prefer. You may also notice that visits entries originating from external sources do not record from visit (referrer) or visit duration. However, many locally generated entries also exhibit this characteristic, so the visit_source table is still the definitive location to make a local versus synchronized determination. Unfortunately, we are not so lucky with other synchronized artifacts such as bookmarks, preferences, extensions, Top Sites, and auto-complete information. For some of these artifacts, timestamps could be matched with known History sync times and URLs to make a determination, Reference

[1] https ://code .google com/p/chromium/codesearch#chrom ium/src/components/history/core/browser/histoiy types .h .

218

©2017 Rob Lee

N)

(0

visits

visit_source

uris

seqments

segment_usage

CD CD

r

meta

Ieynord_search_ter..,

downioads_uri_cha:.

downlo ads

149)

0 0

—1

0

© N)

aTables

Master Table (1)

ory

jig

:1%

1%

hindslght.py -i “C:\Users\Ryan\AppData\Local\Google Chrome\User Data\Detault” -o test_case

optional arguments:

Internet history forensics for Google Chrome/Chromium. ;Jhis script parses the files in the Chrome data folder, runs various plugins against the data, and then outputs the results in a spreadsheet.

Ellindsight

Internet Histor%-

History, Top

SQLite

,

Archived Hxsory data_#,f######

N/A

Cookies/Local Storage folder Bookmarks, Bookmarks bak

SQLite

History

SQLite

History, Web Data, Network Action Predictor

SQLite

Installed Extensions

Preferences/Extensions Folder

JSON

Session Recovery

Current Session, Current Tabs

SNSS

Synchronization

SyncData sqlite3

Cache Files Cookies/Web Storage Bookmarks Download History

Auto-Complete/ Form History

.

JSON

Last Session, Last Tabs

FQR500

DFIR

SQLite

I Windows Forensic .Analysis

When an examiner understands the underlying artifacts and has reliable tools to work with, the process for performing browser forensics on any of the major browsers is quite similar. This slide shows an aggregate view of the various artifacts an investigator may be interested in and which Chrome database files hold that information. The vast majority of Chrome artifacts exist in $QLite databases. We have seen how easy those databases are to open and explore. JSON is used for the Bookmarks and Preferences files. JSON is a text-based format that can be easily opened and reviewed in your favorite editor. The Preferences file, in general, is worth reviewing because, in addition to showing installed extension settings, it can also identif,’ the user’s homepage, pinned tabs, synchronization options, and privacy settings. The browser wars are back, and each browser application is innovating to gain market share. The results of these innovations are often features, and features often leave useful artifacts. Unfortunately, they just as often break our forensic tools. We should expect big changes in all the browsers, and it is imperative that examiners keep up with the latest changes and test their tools to make sure they are incorporating new information (or at a minimum not under-reporting the well-known data locations). There is no “easy button” here, but with this training, updated tools, and a healthy dose of curiosity, you can stay ahead of things and continue to incorporate all these new artifacts into your cases. Just don’t forget to share what you have learned!

224

I

©2017 Rob Lee

224

Thdent

13fIR

FQRSOO

Windows ForensicAnalysis

The browser universe is growing, with multiple new browsers released yearly. However, web browsers are complex, and much of the code necessary is already available as open source. It rarely makes sense for a new browser (even one designed for a mobile platform) to start completely over. Thus, the majority of browsers you are likely to encounter are based around the web engine frameworks we covered in this course. WebKit has the most penetration, with the new Blink fork quickly becoming the go-to codebase from which to build. Firefox remains on the Gecko engine, and Microsoft has traditionally decided to build their own. The Edge browser was a radical departure for Microsoft in that it is built on a completely new web engine. This homogeneity makes our lives easier. If you can accomplish Chrome browser forensics, you will find Opera or Vivaldi to be quite similar. In fact, a common problem when carving artifacts from free space on disk or in memory is determining just what specific browser they came from! A good set of tools and the ability to manually parse databases is all you need to investigatenearly any browser you are likely to encounter.

©2017 Rob Lee

225

225

FORSOO

DFIR This page intentionally lefi blank.

226

©2017 Rob Lee

I

Windows Forensic Analysis

226

e

P

e

d

• InPrivate browsing mode affects all browser artifacts: • Enabled via the Tools menu orby • Opens a new browser session with tighter artifact restrictions

• History information for the session is not saved: • Recovery tabs are saved and can re-create complete sessions

• Cookie files are not created while in InPrivate Mode: • All cookies are treated as session cookies

TypedURLs and Form data are not saved

• Cache files are created but deleted at end of session • Can be disabled using Group Policy or via the registry DFIR

FOR500

I

Whidows ForensvAnalysis

InPrivate Browsing mode was a significant addition to Internet Explorer and continues in a similar implementation

in the Edge browser. Dubbed “Porn Mode” by the press, it allows a user to shift into a private mode for browsing

sensitive data. [I] fueling this designation was the fact that InPrivate mode cannot be entered when parental controls are activated on the browser. When engaged, InPrivate creates a new user session and takes extra steps to try not to save browser artifacts for the duration of the session. InPrivate mode does an okay job of reducing the number of artifacts stored during a browsing session. Browser history information is removed from the corresponding WebCacheV*.dat or index.dat file. However, automatic crash recovery tabs are still created and can re-create complete sessions. Instead of storing cookies to disk, all cookies are converted to session cookies, meaning they are stored only in memoly. Form data is not saved to Protected Storage or the Windows Vault. The InPrivate implementation still creates cache files as usual during the browsing session, Upon ending the session, all related cache files are deleted. Upon installation, InPrivate mode is activated for all users. System administrators can disable this option using either Group Policy or by directory modiing the system registry. The GPO policy is found in Administrative Templates/Windows Components/Internet Explorer/InPrivate/Turn off InPrivate Browsing. The registry key controlling lnPrivate access is HKLM/Software/Policies/Microsoft/Internet Explorer/Privacy/EnablelnPrivateBrowsing. Reference [I] http://www.microsoft.com/windows/internet-explorer/features/browse-privately .aspx

©2017 Rob Lee

227

• Some artifacts can be recovered via file undeletion: • Cache files • Automatic Crash (Session) Recovery files

• Residue from all other artifacts can still be found: • Unallocated space/Pagefile.sys a i cc DeteFTKmçjer3 ‘,O,5 Memory

D

X

EdenceTree ,J ‘;j C

CetnA 4

) IPilee5Cache

Diad1

Nrn ccverStore.’E11E5At5’&4,tht K K t33BOB5 BA 11E5’82AE’4R55A34det E”” ( ReceStcre(fl63AD4 BA43 lIES 4 K FF[]BSEFB45IlE5-42AE24%B5u47S)dt 4ilE5%E’4d,t (rilE B42’EA4IIE552AE Recc’esyStcre (D45 BSCB445I1 E5’4E’5SIs4E353M4,dt FileSb& S455A473dt DB2’E74A’l I E5’B2AE’

SaC

O

Cfl1

C

14 CC CF CC IC C 61 CS’N CS 65 CS CC

FOR500

OFJR

Srø

DteMcthFed 5

RurFe

4 4 Regbr File 4 File Sbck

1:251F1’%454AM

1,1il’2c16 I44 44 P11

u

CC

Windows Forensic Analysis

Microsoft advises that InPrivate mode was never designed to prevent artifact recovery using computer forensic tools. Forensic techniques are powerful and given the current Windows architecture, any attempt at making a forensic-proof application would almost certainly be doomed to failure. As such, we should expect to be relatively successful at recovering information from InPrivate sessions. Luckily, some of our most important artifacts are the least protected by InPrivate mode. Both cache and Session Recovery files are written to disk and removed via simple deletion at the end of a session. lnPrivate browsing does

are often not not wipe any artifacts. If the browser happens to crash or the system power fails, these artifacts

deleted at all. The Session Recovery files, in particular, are extremely valuable because not only can they provide what the an excellent summary of sites visited during the InPrivate session, they can also be used to reconstruct and stopped. tabs looked like and provide information on when the session started This slide shows an example of an InPrivate session that was started during an existing browser session. When InPrivate kicked off, a second set of Session Recovery Files were created and maintained. When the InPrivate were session was closed, those recovery files were deleted as seen using FTK Irnager. In this case, it appears there that opens te tab about:lnPriva two tabs opened in the InPrivate session. The highlighted file shows the original when a new InPrivate session has begun. can be (at So what about IE History, Cookies, and Form Data? All these artifacts are tracked in memory and thus and Pagefile the in residue see least partially) recovered from a memory image. In addition, we would expect to case, this In memory. virtual ultimately in unallocated space when artifacts are paged out of RAM and placed into artifact of measure InPrivate browsing does make our analysis more difficult because we often lose some be attribution and metadata when doing low-level recovery in unallocated areas and memory’. Regardless, it would mode. InPrivate difficult indeed to completely hide web browsing activity, even using something such as

228

©2017 Rob Lee

‘-

Co

NJ NJ

CD

r CD

0 0

-4

C

© NJ

node H&p

For User Guide, press Fl

?tppData ocaICache

lenip

lAcrosoftEdge ErgPageDataCache ,,; Cache J Cookies J Cottanakssist ZJ Hstcry ; lEConipatCacke j lECompatUaCache ,j IEEp?headCache j PiayReady j UdEllock j User hI .j Defauft + J) DataStore j DornainSuggestrons L:t DowntoadRstory j Favorites j imageStere Recovery tActve

Evidence Tree

E;e

Vrew

LI AccessOata FTK Imager %2OO

A

-

4 4

S 5

Cursor pos 0; dus —

2921357; log sec

a

23370856

0e30 69 00 63 00 69 00 60 00—65 00 61 00 63 0-0 jOe4O AL 00 63006700 6000—2100000000 00 00 00

.

corn/

Oe%0 74 00 74 00 70 00 73 00—LA 0-0 21 00 21 00 77 DO t-tps-:

-

3

-

4...

_jz—f1

V

A

1/13/2016 10:34:42 PM

I I Al all

Regular File File Slack

1110)2016 134:0$ AM

X

Regular File

I Date Modified

C

p#rt,

I ‘vJiX%!

d’ °3 0 23 3t3nQD2rn_tL0ifl 6. D I 01a0 6% 00 67 00 75 00 14 00—LA 00 69 00 67 00 70 00 0db02OC69OO76026100—740O650000002C OdcO 0000020000000100-00 0000000000FF FL liv DddO FF LA 00 00 00 00 00 00—22 00 00 00 00 20 20 00 2? noon ThOOOnno0EO0ocfl04ooci20t.A4A. OdfO AC AL 01 00. 00 00 61 00—6% 00 61 00 75 00 74 DO abcut Bi’oh 10e00 47 00 14 00 1700 80 53-IC LA A0 4% 69 10 A2 LA N l0e100800%33030903800—%l800000000065 00 +0O8 a

$130 {D4889802-8A451 1E5%2AE5S946B55A470}.dat ReccverStore.{D4ES9E00-BA45i 1E5-S2AE-58946955A470}slat {33879D82-673A-l IE542AE58946B55A470}.datFileSlack

K Recoven.rStore.{055924D4-8A43-1 1E532AE5S946855Atc K (66FD899F-8A45-1 IES42AE5S946B55A470}.dat %

K, RecoveryStore.{3SB79DB6B73Al 1E5-82AE-S8946855A170}.dat K (3SB79DB8873Ai I ES42AE%S9%5B55A470).dat

Name

File List

1?

—

C:\Forensic Program

RecoveryStore. {2F8A1D83-BCA3-11E6-82E6-58946855A470} .dat 12/07/2016 17:32:54 UTC Opened: N/A Closed: 4c InPrivate Browsing: YES Open Tabs: {2F8A1D85BCA31lE682E6-58946B5SA470} dat: 0, 1, 2, 3 Page Order: Current Page: https://search.wikileaks.org/?q=guccifer+2.0 Page 0: https ://www.google. corn! ?gws rd=ssl URL: Google Search wikipedia Title: Page 1: https : //www.google. corn/?gws_rd=ssl URL: qwiki1eaks Title: Page 2: https://wikileaks.org! URL: WikiLeaks Title: -

FORSOO

UfH?

J

Windows Forensic Analysis

One of the most powerful techniques for recovering InPrivate session data is to find and recover previous session is automatic crash recovery flies. These files are created during an tnPrivate session but deleted when the closed. Thus, they are common]y found in the (IE) %USERPROFILE%/AppData/Local/Microsoft/Internet Explorer/Recovery/Active and %USERPROFILE%/AppData/Local/Packages/Microsoft MicrosoftEdge/AC/Micr osoftEdge/User/Default/Recovery/Active (Edge) folders. .

In this slide, a Recovery session file was parsed with the parseRS.py tool.[’l The results show this was an session, InPrivate browsing session started on 12/07/20 16 at 17:32:54 UTC, Only one tab was opened during this and it had a history of four total pages.

Reference [1] hftps://github.com/jtmorandparseRS

230

©2017 Rob Lee

°

ED CD

r

0

0

© N)

-

Open Tabs: {2F8A1D85-BCA3-11E%-8%E6-5894%B55A47Ø}4dat: Page Order: 0, 1, 2, 3 Current Page: https://search4wikileaks.org/?q=guccifer+2.o Page 0: URL: https://wwwgoogle.com/?gwsrd=ssl Title: wikipedia Google Search Page 1: URL: https://www.googlecom/?gwsrd=ssl Title: q=wikileaks Page 2: URL: https : //wikileaks org/ Title: WikiLeaks

RecoveryStore. {2F8A1D83-BCA3-11E6-82E6-58946B55A470}.dat: Opened: 12/07/2016 17:32:54 UTC Closed: N/A InPrivate Browsing: YES

C: \Forensic Program

• ESEcarve by Howard Chivers: • Recovers resident and deleted entries from ESE • Can carve from clean (using API) or dirty databases • Output in csv format (-y performs deduplication) et Adn utrt’; (omnd Prempt

—

U

X

\Forensi c P rociram Fiies\EsrCarveksrçarve.exe ielO G:\Dona1dBlake[vidence\Exports\Wbcache1 ESECarve v2.OTstarted at O/11/O1b 12T5!i INFO root Written by Howard Chivers. See REAiE for software licence. INFO ‘oat Called with arguments: i dO C: \Donald 8l aketvidence\Exports\Wehcache INFO ‘oat input file is not a clean database, API access not possible INFO root Using C: \Donal&.Blake..Evi dence\Exports\webcache\webcachevOl. dat as referent INFO root for database schema will recover the schema by cdrv INFO toot i ng carving from file: C: \Dnnal cLul ake.Evi dence\Fxports\Webcache\WebtachevOl. da INFO root f6 MD5 hash for C: \Donal&Blaketvi dence\Exports\Webcache\WebcachevOl.dat INFO i leuti is 94f87ae4a2d79c%c7%e7

FOR500 j Windows ForensicAnalysis

OFIR

2.32

With an enterprise-grade database comes a lot of overhead, and there can be a significant amount of unallocated space present in ESE databases. Howard Chivers wrote a groundbreaking tool for carving entries from ESE databases named ESECarve. More than just a data carver, ESECarve is also an excellent ESE parser, and depending on the options selected, can output the contents of every active container in C$V format. (Look for output files named similar to Container 84 CurrentData. csv). It collects data carved from unallocated areas of the database into a fi]e named Container_all,CarvedData. csv. The -y option nicely performs deduplication of any deleted entries with those already present in the current containers. You may even notice carved entries from ESE containers that no longer exist in the database! In this case, it is great to have the data, but it can be challenging to determine what specific artifacts the deleted container held without the mapping kept in the Containers table. If history were cleared before you preserved system evidence or you suspect inPrivate browsing was in use, this is a go-to tool. Mr. Chivers has not widely distributed it, so the best place to find it is on your SIFT workstation in the forensic Program Files folder. From the ESEcarve help file: “You may be surprised at just how much data there is within the database file but outside the current database tree, although this is very dependent on circumstances. Although ESE reuses deleted ID’s and space, it also moves data around, leaving records for re-discovery. Data in records outside the database tree may not necessarily be obsolete (i.e. files deleted or re-indexed), but may also be duplicates of existing records due to data being moved between pages as part of database management. In some databases, near-identical records provide evidence of use due to timestamp differences, Usually, when a database file is recovered from a disk it will be marked as dirty, meaning that it will need to be updated by its log files before it can be accessed via the normal database API. Most programs that read the database will require a clean (i.e., recovered) version, and they may do this automatically without explicit warning. For this reason, it is important to carve from the original recovered database, not one that has been ‘recovered’ to clean for reading via the database API, or one on which has been accessed by other database browsing tools.” In this example, we ran ESECarve against a Webcache folder exported from a mounted image file. The toot reports the database is dirty and proceeds to carve it (carving dirty databases is a new feature in this tool). You will need to

232

©2017 Rob Lee

export the Webcache folder from a mounted image before starting. If the database is clean, you have another range of options, including deduplication using the API to query the existing allocated records in the database. Make sure to read the help file with this tool as the latest versions have many new features. The ie 10 schema built-in to the tool will carve both IElO/I I and Edge records. A sample command line is ESECarve .exe ielO C: \Export\Webcache

-h: Displays the help menu -y: Performs deduplication of carved entries (clean databases only) -d: Use API mode to dump current database contents lef 0: Specifies the database schema type (ieIO is for Internet Explorer 10± databases)

©2017 Rob Lee

233

c)ect 4kdmnrctrator c wnand Prompt

.

-

-

—

U

-

N:

k:\Forensic Program Files\ESECarve ESECarveexe ielO C: Donald Blake_Evidence Ex orts Webcache S.: starte at ‘-i ESECarve v2, INFO root root INFO Written by Howard Chivers. See README for software licence. INFO Called with arguments: i dO C: \Donal d_Bl ake_Evi dence\Exports\Webcache root Input file is not a clean database, API access not possible INFO root Using C: \Donal d_Bl akeEvi dence\Exports\webcache\WebCacheVOl. dat as referenc INFO k’oot o for database schema will recover the schema by carv INFO root ing INFO Carving from file: C: \Donal CBI ake_Evi dence\Exports\Wehcache\WebCacheVOi da root

Ito

_

_

MD5 hash for C:\DonaldBlakcEvidence\Exports\Webcache\WebCacheVOLdat = f6 INFO ileutils 894f87ae4a2 d7 9c6c7 Ge? M’Ub4 C: \Donal cl_sI ake_Evi dence\Exports\webcache\Contai ner_ 28876 lines written INFO bvwri ter

E ©

0, (N

P

n

Yoiive gone incognito -F,

F,,

-,t.

.‘

00

.3..

-F--

F,

GoFog fo egoffo doesof fddeyoor fFrowrkrg from yoor employrr yoor FntomroervkeptovFder, orerowthrIfroyouvFFf.

F

• Chrome and firefox have moved private browsing artifacts to memory: • $QLite database updates are done only in memory • Limited disk-based remnants

• There are still some leaks: • If outside viewers are used, IE records local file access! • Downloaded files persist in the file system (no metadata is kept) • Bookmarks are maintained (and identified as added in private mode)

DFIR

FORSOO I Wir dows F rensi -naiys’s

Chrome and Firefox have implemented robust private browsing options. When using private browsing mode, no updates are made to the disk-based databases. Instead, all artifacts are kept in-memory and do not get written back to the default databases. In practice, this means that little to no private browsing artifacts will be found on disk for these browsers. One exception is memory-based artifacts that get written to the pagefile. (The pagefile is a representation of virtual memory that exists on the disk.) Knowing that at least some data is likely to leak to the disk in this fashion, it is still recommended to search the disk when doing a deep-dive analysis. That being said, memory analysis will almost certainly pay the biggest dividends when trying to piece together private browsing sessions. RAM dumps, hibernation files (hiberfil.sys) and the pagefile (pagefile.sys) all provide excellent opportunities to recover private browsing artifacts. Although the Chrome and Firefox implementations are solid, they still have some weaknesses. One leak manifests if the operating system is set up to view specific file types in an outside viewer (such as Windows Media Player). In these instances, the outside viewer will be spawned, and Internet Explorer (and other OS-based artifacts) will record local file access for the opened file (but no metadata related to its origin). Similarly, downloaded files are saved to disk and will persist. Although file system timestamps may be useful here, there will be no references or metadata kept in the browser download history. Finally, researchers discovered telltale signs to distinguish when bookmarks were added during a private session.’1 This can be one way to infer that private browsing was employed by a user. In Firefox, the title and last visit date fields are left empty when added during a private browsing session. In Chrome, the visit count is set to 0 and the hidden field set to I. Reference

[Ij “On the Privacy of Private Browsing

A Forensic Approach,” Satvat, Forshaw, Hao, and Toreini

©2017 Rob Lee

235

235

• The Tor Browser is a modified version of Firefox • All browsing activity is via “Private Browsing” • Very limited disk-based remnants

• Application execution artifacts can identify usage • Prefetch

—

TOR. EXE,

START TOR BROWSER EXE

• UserAssist—start Tor Browser.exe

• Browser artifacts stored under install folder • \Data\Browser folder contains Firefox databases • \Data\Tor folder contains preferences and status files FOR500

DFIR

I

Windows Forensic Analysis

The Tor project is one of the world’s most well-known privacy toolkits. The Tor Browser is a core component of the project, with the aim of ensuring privacy and anonymity during online activities. Like most “a]temative” browsers, Tor is based on a well-known browser framework, notably the Gecko, or Firefox engine. In fact, Tor uses a modified version of Firefox, largely forcing all browser activity to be accomplished in Private Browsing mode. Private Browsing in Firefox (and Tor) leaves very few disk-based artifacts of browser activity. Nearly everything is accomplished in memory, and thus host-based browser artifact analysis is largely accomplished through memory analysis (via RAM dumps, page file, and the hibernation file). Beyond browser artifacts, the investigator may simply need to prove that Tor was present and running on the system. This might be the impetus that leads them to do a more detailed searching of memory for artifacts. To show Tor execution, we rely upon standard operating system artifacts like Prefetch and UserAssist. Investigators should look for files named “Tor.exe” and “Start Tor Browser.exe”. In the installation location for Tor, there will be application folders proving the existence of Tor along with some user preferences. Tor does not have to be created under a user profile. It creates a self-contained folder structure that can be placed anywhere, including removable media. Operating system artifacts like Prefetch, UserAssist, LNK files and Shelibags can help identify pointers to these folders. Tor creates a “Data” folder and within it, there is a “Browser” folder containing the standard Firefox databases (though they are largely unused since nearly everything is accomplished in memory). Perhaps more interesting is the “Tor” folder that houses text files like “State”, which records the Tor version and time last execution date.1 Investigators should take the time to review files modified in these folders during the on Forensics “Tor named topic the on of interest for their case. Mattia Epifani released an excellent presentation Windows OS” [I] https ://digital-forensics.sans.org!suminit archives/dfirprague I 4/Tor Forensics On Windows OS Mattia Epifani.pdf

236

©2017 Rob Lee

236

Fito

Edt

Toot

Go To

Hoip

RoredM4ot

F

H

.

..

.

ReF 4tec. F.

o.n?udsioftcFore. ConeiOSOeFLoeCoved

t’1p/Jo

Foofco Covd FornHotco

•kt Found

a,

4 4F

Iou

4 Ft

/

‘

H n

Nct Found {not Fooou

Not Found

N

N

r. ft.

tF

(

F

F

N5F

H,

a

43 .,..,,1

-

FE

‘

uo.ft.

3,’4

4

UTC

.

u-H H0

F.1 -

Ft.

S..

DFIR

‘n F -un. [FoNt/F ‘4F ‘

tH ‘

‘0

5/

iF NTF ‘0 A

F

t.rn

FORSOO

.

T3’

‘.:

.

t/-”,’r

Wi dows ForencAnaysis

File and data carving is one of the most powerful forensic techniques available to forensic examiners. As applications have evolved to have less of a footprint on disk, we often need to employ data recovery techniques to get access to that data. Tools such as Magnet Forensics’ Internet Evidence Finder and Belkasoft Evidence Center have emerged with custom carvers to find like InPrivate or Incognito browsing sessions, webmail, and social media interactions. FTK has recognized the value with its own selection of custom carvers, and memory carving can often be even more valuable than carving disk unallocated space! This is an exciting area of forensics that will continue to improve and evolve over the next few years. When dealing with private browsing, carving memory files is one of the most effective recovery techniques in otir arsenal. Note that not all browsers have identifiable markers to distinguish between private and regular sessions. Also, even if the markers exist (such as in lE and Edge), they may no longer be present. Hence, recovered private and regular session data is often intenningled. Although you can tell a specific site was visited, you may not definitively state it was in a private browsing session (or what user was responsible).

©2017 Rob Lee

237

237

N File

Edit

Toots

Recovered Artifacts

CPwome/380 Safe 8rower Carved

6rower Activity

20

821

612

Help

Frrefox Carved Formdbtor2

4

Go To

Firefox SessronStore ArMacts

43

Items

Flmh Cookies 2

Web Related

Google Maps

49

f

It

IC lnPrivate/Recovery URIs 1570

.

Q

Internet Explorer 10 Carved Conten.

Report V3ewerv%%&0001 -

Case V’PYVMMDD

Desorrptrcn

-Not Found- (nor tines

Fde C’eatron Date/T

-Not Fcnr;d

-Not Found-

Local MAC Ad

0

URL

-Not Found

-Not Found- (not rmez

-Not Found-

Search.

ft

NIp //wnw. amazon. oom/gp!btkmazon..

-Not Found

-Not Found- (not times

-Not Found-

v

I

http Hwvnv. google oom/udskfs?oiienht

-Not Found-

-Not Found- Inot times...

Default Encoding

0

http:i/wivw, amazon

-Not Found

Go To ft

3

https: //wwv&dropboxcom/

-Not Found-

n

4

-Not Found- I not times

>

-Not FoundShowing results 1 -49 of 49

htto //wvnnamazon, oom/ooitqt/amazon

- --

5

Evidence..

I EF

A

4 -‘

-

-Not Fourd -

Dosorlptlon

-Not Found- (rot trarzoro converted; Local MAC Addresrr

File Croatian Datemrne (UTC) (MMiddyyy)

-

File offset 672968315

-

-Not Found PhysicatDrwol Portiior 1 (Microsoft NTFS. 1-82 TB) Stomps (Dii (User Selected) (ROOT)\Dropbox\DropboxSANSDFIRr4C8-DEC-2313UPDATE\FOR4ZS USBkOorald_BhkojvidercoWomor,WYYYMMDD C-Cl MemoryddC0i pot

So ur

Fvfdstnea Musher

Located At

V

-

0 0 -J SD C

0

©

GD 0D C”

Unallocatedt

+ Not including memory artifacts that can “leak” into unallocated via pagefile

I3FIR

FOR500

J

Windows Forensic Analysis

In general, modern browsers do a good job of eliminating browser artifacts when private browsing modes are enacted. firefox, Tor, and Chrome barely touch the disk in these modes, which means that file recovery techniques are not usually successful. Internet Explorer and Edge do write files to disk, setting them to delete upon the browser session termination. Thus it is possible to recover some IE/Edge InPrivate disk artifacts using forensic techniques. Finally, all browsers are susceptible to analysis of private sessions via system memory. RAM, pagefile.sys, and hiberfil.sys may all capture private browsing session information, which can be extracted by an analyst. Of course, the contents of memory can be paged out to disk, so even memory-only artifacts can sometimes end up in unallocated drive space. Specialized carvers like Internet Evidence Finder can recover these remnants on disk and from memory files. Note that it may be possible to determine if a private browsing session were activated even if artifacts such as URL history are not present. For example, Internet Explorer leaves a history marker, Start InPrivate Browsing, at the beginning of an InPrivate session, and Firefox may leave a similar Enter Private Browsing artifact. Timestamps for certain browser files may also be updated during a private browsing session, which could be a clue if no corresponding browser artifacts are present.

©2017 Rob Lee

239

239

[ 4,n na J

C

th.

at>nn

4

NaScft

Qp Cpea at a L4

D3dd Ft 1. ratyn FanAnaly

ndcw

at a t& Tab Ca an I data and Fda

J

tdnFThn Fain Uter Aat

EnrrutTdaSte

tantoaI C tan;

a

J Pannwordn Open in new tab Open in new window Delete tcncatninpcatnsnnnn

Dbtea1Ivsitstoling.cam

Q

Fats rat’,;

pnrrnaan

Csmpanblny pa;m;;n a;;

FOR500

OFIR

Windows ForensicAnalysis

e

Browsers can provide the investigator with a large amount of data and many helpful artifacts. The flip side of the coin is that browsers now also have a robust set of preferences available to users to delete much of the data located in these artifact databases. Although these options are not set as default, they are increasingly easy for a knowledgeable user to implement. For example, Firefox routinely improves upon existing privacy features by providing finer grain control over settings and increasing the number of proactive and reactive privacy options.[11 The selective capability of privacy controls makes our job as forensic analysts a bit tougher. In older versions, artifact clearing was often all or nothing. If we were confident that a specific browser was being used (say it was the default browser with corresponding Prefetch data) and there were little or no historical artifacts, we could at least start looking for indications that evidence had been deleted (and possibly be well on our way to a data spoliation claim). The problem with selective removal is that it is much harder to determine if potential evidence has been removed. Some selective deletion options include Clear Recent History/Obliterate the following items from X: Enables users to not only choose specifically what they

want to clear (that is, clear history but leave cookies), several tirneframes are available in browsers such as Firefox and Chrome, for example, Firefox deletes from the Last Hour, Last Two Hours, Last Four Hours, Today, and Everything. Some of these options do not always work as may be expected. We mentioned in the Web Storage section that for those Super Cookies to be cleared in Firefox, a user would need to select both Cookies and Everything. Forget About This Site/Remove from History: When viewing the Flistory Library in IE/Edge/Chrome/Firefox, a

right-click option is commonly available to “forget” or remove all entries related to the site. Similar methods can be used to selectively delete within the download manager, the bookmark dialog box, and so on. The key difference is the visibility of the new option to the average user. This action may leave tell-tale signs. Notably, ID numbers in databases are typically assigned sequentially, so gaps can indicate selective deletions. In addition, quirks of implementation might surface. For example, in Firefox the entire browser cache is deleted whenever a site is “forgotten.” This is likely accomplished because the developers found it too burdensome to weed out all references to the site within the cache. Reference [1] http://blog.mozilla.eorn/faaborg/2009/06/30!firefox-3 5-and-privacy!

240

©2017 Rob Lee

p1esqflte

I

E

CUt

t tP tt

II (1)

II

m 4

mostoyvk1

• New browser privacy options facilitate selective deletions • Look for gaps in database record identifiers or significant time gaps (such as an entire day missing) • Deleted data can often be recovered by carving the unallocated space within the database 13FIR

FORSOO

I

Windows Forensic Analysis

With the rise of selective deletion options, the job has become more difficult for an analyst to determine if a browser cleanup has occurred. One reliable technique is to find tables where entries are assigned sequential ID numbers. One such database is shown here, the places.sqlite file from Firefox. By analyzing the entry identifiers, gaps can be identified. It appears that II rows are missing in this example. Further, timestamps of activity around those gaps can sometimes be identified to approximate when the missing actions occurred (and matched with other artifacts in the case). Although this is a manual process, it can be effective when doing deep-dive analysis. When you suspect browser clearing has been accomplished (either selectively or en masse), you should consider running tools to look for unallocated data still present in the database. There are specialized tools for doing this for both ESE and SQLite databases.

©2017 Rob Lee

241

241

SQLite databases can contain deleted entries and several tools can recover them: • CCL Group epilog (commercial) • Sanderson SQLite Recovery (commercial) • sqlparse.py by Man DeGrazia (free)

epdog

> 1, r / 01 t P ‘s ..‘ • n ir Pr j m ;le a TSV File or text into rile Usaqe: Parse deleted records from an SOLite Opt ions: it sh. w Lhi h l m s e anr -h 1 db i m I b hl uS sqlite databa5e file -o output ,tsv, --outputoutputtsv Uutput to a tsv f tie +rips white space tabs and ic cm -na’le h ra rw oruat an Op ic al Will oi. pit -Ja a uied 1, -raw text fileS -

—-

•

.

—

-

,

O FIR

F

5

Vir

fl

;is

241

SQLite databases are common in digital forensics. We cover their use in Firefox and Chrome in this course, but many other applications and operating systems use them including Safari, lOS, and Android. SQL1te encapsulates an entire database in a single file, and a typical file ends up having unallocated space that could hold previous database entries. Deleted records in Sqilte can persist for long periods of time in this unallocated space, particularly if the database has not been rebuilt (that is, the vacuum command has not been run). Recovering data from an SQLite database is relatively straightforward. The difficult part is taking the results and applying the correct schema to them to make the data make sense. Hence, the best recovery’ tools for SQLite tend to be commercial tools that can afford to do the research necessary to keep up-to-date. Some of the most widely recommended tools are Epilog from CCL Group, Sanderson Forensics SQLite Recovery, and SQLite Viewer from Oxygen Forensics.’ [2], [3] Marl DeGrazia released a free python script to recover unallocated blocks from databases.41 This is one of the few free tools that can perform this operation, and it can be useful for files that yoti already have a good idea of what they contain. For instance, unallocated space in the Firefox cookies.sqlite database contains cookie information. It gets more complicated with databases such as places.sqlite, where unallocated blocks might contain the bookmark, history, downloads, and form history data. However, similar to file system unallocated space, sometimes just seeing a link to a specific site or file is all the evidence you need to support your hypothesis. A sample command line for SQLite Parser is: sqlparse.py -f places.sqlite -o places out.tsv Given the relevant data that may exist in SQLite databases, some tools have started to perform SQLite carving from file system free space. Magnet Forensics Internet Evidence Finder and Digital Detective Blade are two tools that have SQLite carving support. References [1] hftp://sandersonforensics.com/forum/content.php?1 90-SQLite-Recovery [2] http ://www .oxygen-forensi c .com/en/features/analyst/data-viewers/sqlite-vi ewer [3] http://www.cclgroupltd.com/product/epilog-sqlite-forensic-tool/ [4] http://az4n6.blogspot.com/2O 13/1 1 /python-parser-to-recover-deleted-sqlite.htrnl

242

©2017 Rob Lee

I

1.

What if a user clears all data using privacy settings? • Deleted entries can be recovered from SQLite and E$E databases • SQLite is notorious for spraying remnants throughout free space • Cached files in Firefox and Chrome harder; likely require carving

2. What if the browser is uninstalled? • In many cases, all the artifact databases remain (Chrome and FF) Otherwise, undelete files using forensic tools and perform analysis

3. What if a user selectively deletes individual records? • Using Forget This Site, Clean Recent History, and more • Look for missing database entries (ID comparisons) • Attempt recovery of unallocated entries

In all cases, data can persist in unallocated space and memory

DFIR

fORSOO

Windows Forensk Analysis

With the user-friendly data clearing features present in modern browsers, it is inevitable that we will run into cleared artifacts in many investigations. The manner of how the artifacts were cleared determines how difficult it will be for an investigator to recover them. The most common way users clear browser artifacts is through the use of privacy settings. Users now have fine grained control over what is deleted, so finding one cleared artifact does not mean that every database record has been cleared, When a user clears an artifact using privacy settings, entries are deleted in the corresponding database. Luckily, deleted entries can be recovered from these databases with the right tools. In addition, data from the file may still be located as fragments in file system unallocated space, where it can be discovered by keyword searches. However, analysis of these file fragments will be much harder because we will not have the luxury of loading them into our tools to automatically parse them. By design, $QLite databases reqttire a large number of temporary files. This is due to implementing an entire database within a single file. To perform database functions, temp files are created frequently. This is such a problem that SQLite databases can often not be used for applications where system resources discourage creating temp fiIes.[1 From a forensic perspective, this is great news. It means that even though we may have issues recovering the original artifacts, we have an excellent chance of finding (multiple) copies of those same artifacts in unallocated space. Thus, we should expect to find more Firefox and Chrome artifact fragments in free space than in non-SQLite based browsers such as Internet Explorer. Another method of clearing browser artifacts is to uninstall the browser. This is a best-case scenario because, in the case of both Chrome and Firefox, the databases containing user artifacts are not removed and exist in their original locations under the user profile. The user may believe they are gone, but databases such as places.sqlite are nicely still allocated and ready for analysis. If any files were deleted, they can be recovered via forensic techniques and analyzed.

©2017 Rob Lee

243

243

The final method that a user can use to clear artifacts is to utilize the built-in selective deletion privacy features. Unlike in older versions of Internet Explorer where the index,dat files can contain old records; finding deleted records in large database files is more difficult. Your best bet is to use SQLite or the ESE database tool that can scour the database for deleted records. Record numbers are isstted sequentially, so gaps in the existing records could indicate that selective deletion occurred. If there appear to be no deleted records available fbr recovery, it may stilt be possible to recover any deleted data by searching file system unallocated space or memory images. Reference

[1] http://www.sqlite.org/tempfiles.html

244

©2017 Rob Lee

DIOITAL FORENSICS

DFIR INCIDENT RESPONSE

Exercise 5.3 firefox and Chrome Analysis

FOR500

Windows Forensic Analysis

This page intentionally left blank.

©2017 Rob Lee

245

245

DONALD BLAKE CASE TIMELINE: Following FF/Chrome Exercise 13:24 8/1-8/3 Dropbox 18:19

19:21 Opening Dropbox folder (via Sheilbag)

Winwor U utilized

Connect to L0T38 SSID

tvia Event Log)

(via Event logs)

8/1/13 8/8/13t. -

10/18 19:26 Donald searches for “insider traUing’ and “sec stack shorting” (via Firefox Form Data)

17:58 Skype chat from Jordan tells Donald to check e-mail (via 1FF) E-mail analysis shows e-mail read.

Begins accessing many folders, local & remote, over a “2 hr period (via Sheilbag,

15:13

20:16 13:45

Accesses folder on F:\Templat e

-

20:11-20:21

‘USB2O” (BLAKE FILES = Es via INK) Last Inserted 18:46

Uses Remote Desktop

(via Shellbag]

&

“SM!” first installed

FVENOT1FY

(via Prefetch)

(via USB)

20:16:45 SMl USB removed

lEF,

i i

18:03 Nokia Strategy dots opened by Donald (via INK)

16:23 First RDP session from Donald

‘t

IL1

18:53

19:03

r10r33

Runs Bitlocker Unlocker

Began copying files to

Donald changed time to 8/8 19:03

[JonaldJ

-

—

(via Event Log)

18:51 (via UserAssist) Decrypted Bitlocker USB image 003 fAA04012700011123 F:\) has business plan docs in root and \Templates

Begins utilizing sdelete antiforensics (via PrefeEch)

10/22./13

.W/21/i3 r\___-,_

—

Skype w/ Jordan. Says he’s been fired. Jordon asks about RDP

[nawaccountlasJ

19:20 (via INK)

(via String Search)

Donald changed time to 8/1 19:20 (viS Event Log)

(via E-mail)

0 FIR

F” 5

This page intentionally lefi blank.

246

©2017 Rob Lee

\Nin ‘,,ws

,ie si

.

n

sis

Section 3 j

Part 4 USB Device Analysis

}cction4

} ESection 5 J DfIR

FORSOO

J

Windows Forensic Analysis

This page intentionally left blank.

©2017 Rob Lee

247

247

>

V.’ddE

F mail

Cakndai

)tilat and

I’rtfil’;f/

Autbentica

caie.

Calie

fr

OFIR User Comms Web Based E-mail E-mail

Calendar Chat and IM Chat / Webmail Memory Artifacts File Download Open / Save MRU LastVisited MRU E-mail Skype History Index.dat/ Places.sqlite Program Execution UserAssist LastVisited MRU RunMRU Start->Run MUI Cache

Win7/8 Jump Lists Prefetch Suspicious Services (EVI) File Opening! Creation Recent Files Recent Files (*ext) Office Recent Files

Shortcut Files (LNK) Win7!8 Jump Lists Indexdat file:!!

248

Aeount

FORSO0

File Knowledge XP Search ACMRU Win? Search WordWheelQueiy Thumbs.db Vista!Win7 Thumbnails Recycle Bin Browser Artifacts Physical Location Timezone Wireless SSID VISTA!Win? Network History Cookies Browser Search Terms USB Key Usage Key Identification First! Last Times User Volume Name Drive Letter Link File P&P Event Log Account Usage (SAM) Last Login Last Failed Login Last Password Change Group Membership -

©2017 Rob Lee

I

WIndows ForensicAnalysis

—-.z

Account Usage (EVT) Success / Fail Logons Logon Types RDP Usage Account Logon! Authentication Rogue Local Accounts

Browser Usage History Cookies

Cache Session Restore Flash & Super Cookies

Suggested Sites Memory Fragments of Private Browsing

(0

NJ

Logon Types

Success / Fail Logons

VISTA!Win7

Thumbsd b

RDP Usage

Session Restore I

Drive Letter

Flash & Super Cookies

Suggested Sites

Rogue Local Accounts

Link File

Browser Search Terms

Group Membership

Volume Name

\ Cookie

Recycle Bin

Fragments of Private Browsing

P&P Event Log

BroWser %rçifacts.

W&JumP%atfile#//

Vista/Win7 Thumbnails

Prefetch

Account Logon/ Authentication

Last Password Change

User

Network History

)History Cookies cache

Last Failed Login

First/ Last Times

Wireless SSID

—

Recent Files

Win7 Search WordWheelQuery

Chat / Webmail Memory Artifacts

n ex a Skype Historyk

Chat and IM

RunMRU Start-> Run

E-mail

Calendar

Last Login

Key Identification

Ti mezone

4td:!!!’L7;!aF”

I

-

Search ACMRU

xP

(*ext)

Recent Files

Recent Files

a

a .

Open I Run MRU

Open / Run MRU

Open I Save MRU

UserAssis t

Email

Web Based Email

DFIR

DigiTAL FDRENiCS B INCIDENT RESPDNSE

Exercise 5,4 Final Challenge Preparation

Of

IR

FOR500

This page intentionally left blank.

250

©2017 Rob Lee

J

Windows Forensic Analysis

230

OFIR

DIlIAL FORENSlG 1 INCIDENT RESPBNSE -

—:E-

zi

The Forensic Challenge: Hands-On Case Study -

-

.Z.

-

DFIR

FOR500

WI dows Forensic Analysis

This page intentionally left blank.

©2017 Rob Lee

251

25

Analysis: • You will be grouped into teams of 3 to 4 people each • Each team will analyze the case together and share findings/results • More than one-half of the day will be spent analyzing the case image

I I

Prepare Summary: • One 10-minute PowerPoint Presentation showing the key facts you uncover and what they mean to the case • Use graphics as much as possible to convince the jury/judge of your findiw s FO .3 3 1

DHR

I

s Fo

si-

n,

Analysis You will be grouped into teams of 3 to 4 people each. Each team will analyze the case together and share findings/results. Over one-half of the day will be spent analyzing the case image. Prepare Summary Prepare a 15-to-lO-minute PowerPoint Presentation showing the 5 to 10 key facts you uncover and what they mean to the case. Use graphics as much as possible to convince the jury/judge of your findings. The summary statements from the two selected teams will be handed out to the class for examination.

252

©2017 Rob Lee

I

Triage, Advanced FFK Imager Usage, Data Stream Carving, file Carving • Registry Analysis

• Shell Items, USB Device, and String Searching • E-mail Analysis, AL

J Artifact Analysis, and Event Logs

• Browser Analysis • Capstone Case

—

Work in Teams

DFIR

CQRSOO

W. d ws ‘c,rensic ‘Analysis

This page intentionally left blank.

©20J7 Rob Lee

253

D FI I? DlITAL FORENSICS

Windows Forensics

Advanced Incident Response

INCICENT RESPONSE

F0R572

Advanced Network forensics and Analysis

fOR58

10R578

Mac Forensics

Cyber Threat Intelligence

fOR.52%

j1[M

A

Memory Forensics lnOepth 4•

Hacker Tools, Techniques, Exploits, and Incident Handling

)

(

Advanced Smartphone Forensics

REM Maiware Analysis

5EC504

‘

f rOR58

FOR6IO

MGT53S

Incident Response Team Management

@sansfarensics

sans1orsnics

dfir.to/DFlRLinkedlnCommunity

This page intentionally left blank.

254

©2017 Rob Lee

dfirto/gptussansforenscs

d1iriafHML4lST

254

©

CD CD

r

C C

—4

N) 0

FQR4OB

ib sanslorensics

@sansfornsics

7m4

t ii

(4

h V

Advanced Smartphone Forensics

FQPS8%

Memory Forensics In-Depth

FORS%6

Mac Forensics

FOR!H8

Windows Forensics

IN-DEPTH

OPERATING SYSTEM &

dfirto/DflRlinkedlntornrnunay

dfirso/gplus-sansforensics

INCIDENT H—RESPONSE & ADVERSARY H LINT IN G

DIGITAL FDRENXIGS B INCIDENT REXPDNSE

SSDFIR FCR%08

dfirto/HAIL-LIST

Incident Response Team Management

MGTS3S

Hacker Tools, Techniques, Exploits, and Incident Handling

SECSO4

REM: Malware Analysis

FOR%W

Cyber Threat Intelligence

FORS7B

Advanced Network Forensics and Analysis

FOPS7%

Advanced Incident Response

• Please thank your SANS behind-the-scenes staff and volunteers for puffing together a wonderful training for you. Any additional questions: [email protected] http://twitter.com/robtlee http://twitter.com/sansforensics I f0R5

DFIR

‘Vh

Fe c

is

(

This page intentionally left blank.

IL

256

©2017 Rob Lee

Here is my lens.You know my methods-Sherlock Holmes INSTRUCTOR CONTACT SANS INST TUTE BlZ0WodmunrAvc., ult 3W Bethesda, MD 20814 -

301 .654.SANSf7267)

ctllburysans org twitter ©chadnlbury

SANS EMAIL DFIR RESOURCES digit forensics sansorg

GENERAL INQUIRIES: nfo(sansorg

DFIR

FOR500

Wiidows Forenskft-naly

This page intentionally left blank.

©2017 Rob Lee

257

C

cD

H

ndex $1 $Reçydeiiu -deepscan -pipe -rawscan bak

3-4:203-205 3-4:203-20S 1-2:270 1-2:270-271, 3-4:22, 3-4:25, 3-4:44, 3-4:217 1-2:270, 3-4:44 5:77-78,5:186,5:224

EDB

3-4: 149, 3-4:151, 3-4:169,

3-4:184-186, 3-4:200, 5:7778, 5:123, 5:125, 5:127 3-4:261-262, 3-4:308, 5:39 3-4:2 62 3-4:143 3-4:177 1-2:262 3-4:177 3-4:177 3-4:143 3-4:137,3-4:139 34:145-146 3-4:143 1-2:38, 3-4:208-209, 34:2 13, 3-4:2 15, 3-4:2 17-

.evtx evtx Log format JCS JPD LN1{ Time of first/Last Open .mdbackup mddata .NNT

OST p7m PAB .pf

219, 3-4:2 28

pgp PST

3-4:145-146 3-4:130, 3-4:134, 3-4:137, 3-4:143, 3-4:147, 3-4:15 1152, 3-4:157-158, 3-4:163, 3-4:177-178 3-4:163 3-4:143 3-4:151 5:73, 5:75, 5:114, 5:127 3-4:143 1-2:191, 3-4:69, 3-4:100, 34:106 3-4:69, 3-4:101, 3-4:106 3-4:69, 3-4:102, 3-4:106 1-2:201-202 1-2:190-191 1-2:190-191 1-2:190-191 3-4:232, 5:162 3-4:301, 3-4:306 3-4:293-294, 3-4:296, 34:306

PST Proliferation! 5DB STM vcrd WAB 0064 0066 0067 0x02 0x06 0x17 0x47 1033 11000 20001

© 2017, Rob Lee

INDEX 1 -

3-4:290-291, 3-4:306 3-4:271-272, 3-4:277, 34:281-282,3-4:306,3-4:308 3-4:271, 3-4:279, 3-4:306 a-4:%71-27%, 34:277,34:306 3-4:271, 3-4:277, 3-4:281, 3-4:306 3-4:284, 3-4:286, 3-4:288, 3-4:293, 3-4:299,3-4:306 3-4:284, 3-4:306 3-4:284, 3-4:286 3-4:288, 3-4:293, 3-4:298-299, 34:306 3-4:271,3-4:306 3-4:281-282, 3-4:306 3-4:281-282, 3-4:306 3-4:277 3-4:15-16, 3-4:271, 3-4:277, 3-4:282 3-4:271 3-4:279 3-4:3 04, 3-4:306 3-4:281-282 3-4:205,3-4:246,3-4:281282 3-4:301, 3-4:306 3-4:25,3-4:127,3-4:301,34:306 3-4:69, 3-4:99-102, 3-4:106 1-2:242-243, 1-2:269, 34:20, 3-4:43 1-2:149 5:35,5:48-49,5:55 1-2:268, 5:35, 5:51, 5:55-56, 5:61, 5:106, 5:108 3-4:266 1-2:18, 1-2:167, 1-2:207, 12:210, 1-2:249, 3-4:113, 34:239, 3-4:271-272, 34:277, 3-4:279, 3-4:281282, 3-4:312, 5:248 1-2:249, 3-4:113, 3-4:2 39, 3-4:312, 5:248 1-2:241 1-2:178 5:189 1-2:40 5:190

4616 4624 4625 4634 4647 4656 4660 4663

4672 477$ 4779 4800J4801 528 %8-55% 529 6100 682 683 8001 8002 83da6326 Absolute Path Access Data Registry Viewer AccessCount AccessedTime Account Logon Events AccountUsage

ACMru Active Desktop ActiveTimeBias Add N Edit Cookies Add to Custom Content Image addons.sqlite Address bar history

NDEX 2 -

5:68

© 2017, Rob Lee

adecth853d77462a ft

3-4:15-16 -1*’

-

-

—

-

Advanced Acquisition

AJAX Allocated

Analyzing USB Devices anno_attribute_id 7 anno_attributejd $ anno_attribute_id 9 AppiDs Archived History ASCII Audit account logon events: Audit account management: Audit directory service access: Audit file System Audit Handle Manipulation Audit logoti events: Audit object access: Audit Removable Storage Auditing Access to BYOD Auditviewer Auto-Complete Da a: Automatic Crash Automatic Destinations Automatic Destinations in Structured Storage Viewer AutomaticDestinations

automaticDestinations-ms BackTrack

Bags

-

•-,.ir--’

—

7

/

1-2:6, 1-2:14, 1-2:21, 1-2:50, 1-2:65, 1-2:94-95, 1-2:101, 1-2:109,1-2.116 3-4:165, 5:86 1-2:29, 1-2:69, 1-2:71-72, 12:75-76, 1-2:85, 1-2:87, 12:89, 1-2:103, 1-2:118, 12:143, 1-2:149, 1-2.259, 34:137, 3-4:142-143, 34:165, 3-4:2 04, 3-4:2 62, 5:29, 5:44, 5:49, 5:136, 5:148, 5:228, 5:232-233, 5:237, 5:239, 5.241-244 1-2:148, 3-4:50 5:175 5:175 5:175 3-4: 15 5:197, 5:201, 5:221, 5:224 1-2:26, 1-2:118,3-4:122,34:203, 3-4:212, 5:61-62 3-4:2 66 3-4:2 66 3-4:2 66 3-4:286 3-4286, 3-4:299 3-4:266 3-4:2 66 3-4:293, 3-4:298 3-4:298 1-2:3% 5:73 5:81, 5:227-228, 5:230 3-4:11, 3-4:17-19, 3-4:21-23 3-4:18 3-411, 3-4:17-19, 3-4:2 1, 34:23, 3-4:25, 3-4:60 3-4:11, 3-4:19 3-4:279

1-2.134, 1 2:254, 1-2:269, 3-4:30-41, 3-4:43-44, 34:64, 5:236 3 4:302

Basic Service Set Identifier

--

©2017, Rob Lee

INDEX -3

1-2:37

Begin Analysis of Triage Image

BIOS

3-4:25, 3-4:259

Bit Locker BlackBerry Enterprise Server Block Device/Read BlockVevice/Writable Boolean

1-2:26 3-4:177 1-2:5 9 1-2:59 3-4:159-160 1-2:190-191 5:18 5:17,5:62,5:206,5:240 1-2:18, 1-2:210, 3-4:239, 34:3 12, 5:46, 5:248 5:145 5:175 5:138 5:186 5:186 5:41 1-2:196, 3-4:301-302,34:304 1-2:199 5:148 5:48, 5:135, 5:148, 5:151, 5:204

Broadband Browser basics BrowserCache Browser Usage Browsercacbedisk.capacity browser.downloadjastdir

browserJiistoryexpirationtransient_current_max_pages browser.sessionstore.enabled browser.sessionstore.max_windows_undo BrowsingllistoryView BSSID C:\Windows\CSC cache Block Cache Data

3-4:172473, 3-4:196, 5:17,

Cache files

5:44, 5:46,5:55, 5:111412, 5:114, 5:127,5:148,5:150-

151,5:187,5:204, 5:224. 5:227-228 1-2:186

Cache Key Cache Map cache2

5:148

cache2\entries

5:147

Cached Exchange Mode caching cafae Calendar and Contacts Can We Differentiate Synced Data

3-4:137 1-2:197499, 5:49, 5:147 1-2:149, 1-2:156-158, 12:242 3-4:143 5:106

CCL Group epilog

5:242

CHAIN_END CHAIN_START Chains

5:201 5:2 00 3-4:35, 5:198 1-2:54 1-2:34, 1-2:37 5:204 5:197 5:200

5:145-147

Characteristics of Mounted Images Check for Disk Encryption Chrome Cacbe Viewing the Browser Stockpile Chrome History Artifacts: Investigating Sites Visited Chrome History Page Transition Types Chrome Review

Chrome Timestamps

INDEX-4

5:224 5:202

©2017, Rob Lee

ChromellistoryView CLIENT_REDIRECT Cloud Services CLSW CNRL ComDlg32

5:221 5:201 3-4:149 1-2:244,1-2:257,3-4:25 1-2:256 1-2:144, 1-2:227-229, 12:233, 1-2:254 1-2:256, 1-2:268 3-4:172 3-4:134, 3-4:137 1-2:176477 1-2:181 5:30,5:32 3-4:110, 5:3 3, 5:48 3-4:110, 5:33, 5:48 5:22, 5:24, 5:29, 5:32, 5:46 3-4: 140 1-2:173-174, 1-2:176, 12:179, 1-2:181-182, 12:201-204, 3-4:68-75, 34:99-102, 3-4:105-106, 34:209, 3-4:227-229, 3-4:261 1-2:173-174 5:53, 5:55, 5:127 5:134, 5:153, 5:157, 5:163, 5:187,5:193, 5:242 3-4:144 1-2:37 1-2:190, 5:51, 5:55, 5:153 3-4:170 1-2:198 1-2:173-174, 1-2:176,12:179, 1-2:181-182, 12:201-204, 3-4:68-75,34:99-102, 3-4:105-106,34:209, 3-4:227-228, 3-4:261 1-2:40, 1-2:54 1-2:40, 1-2:42, 1-2:44 1-2:2 70, 3-4:13, 3-4:19-2 0, 3-4:22, 3-4:25, 3-4:27

CommonNetworkRelativeLink Compressed Webmail Remnants Compressible encryption Computer Name Computer: coutainer4at ContaineriD Containerld ContentJF5 CoutentOutlook ControlSet

ControlSets Cookie Metadata cookies .sqlite Corrupted E-mail Archives Create Quick Triage Image CreationTime Cryptome Legal Guides CSCflags CurrentControlSet

Custom Content Images Custom Content Sources Custom Destinations Custom Destinations jmpexe CSV Output CustomDestinations

3-4:27

customDestinations-ms DATA LAYER

3-4:13, 3-4:17, 3-4:22, 34:25, 3-4:27 3-4:13, 3-4:25 1-2:68-69, 1-2:118

Data Protection API

5:73

Data Stream Carving Examples DateFirstConnected Datetime DaylightBias

1-2:10 5 1-2:193 1-2:223, 3-4:235-236, 5:202 1-2:178

© 2017, Rob Lee

INDEX -5

DaysToKeep DCode

DCodeDateTool UCodeDate DDO Decrypting vcrd files Deleted file

Deleted Keys/Values Desktop Access desktop.ini Destination -

Deviceflandlers DEVPKEY_Device_firstlnstallDate

dir/a Discover the Volume Name

Discover Volume Serial Number disk_cache::kMaxBlockSize Dissecting a Roaming tab Distributed Does the Acconut have a Blank Password Does the Windows Search Indexer operate differently on SSDs? Domain/Work DOMstore DOMStore DPAPI Drive Trimming DRM DumpAutoComplete E-mail Encryption E-Mail Headers E-mail Servers eDGE BROWSER .

1-2:192 5:32, 5:170-171, 5:173 5:32, 5:170-171, 5:173 5:73-74 1-2:98-9% 3-4:57 5:182 3-4:145-146 3-4:121, 3-4:124 3-4:118, 3-4:148, 3-4:178 5:78, 5:119, 5:121,5:123, 5:125, 5:225, 5:227 3-4:118, 3-4:135, 3-4:149,

eDiscovery

3-4:153-154, 3-4:159-161, 3-4:163, 3-4:166-167, 34:177-178 3-4:69, 3-4:88-90, 3-4:92, 34:94,3-4:106 1-2:24, 1-2:26, 1-2:30, 12:33-35, 1-2:37, 3-4:134, 3-

EMDMgmt Encryption

INDEX-6

5:28 1-2:171, 1-2:190-191, 12:193, 3-4:69, 3-4:100-102, 3-4:106, 5:159,5:183, 5:20% 1-2:171,1-2:193 1-2:190-191, 3-4:69,34:100-102, 3-4:106 3-4:110,5:58,5:62,5:171, 5:179, 5:183, 5:190 5:75 1-2:17, 1-2:54, 1-2:59, 12:72, 1-2:103, 1-2:118, 34:8 1-2:145 3-4:3 1 5:30 1-2:270, 3-4:10-11, 3-4:13, 3-4:17-2 3, 3-4:25, 3-4:2 7, 34:60, 3-4:124, 3-4:156, 5:61 3-4:110 3-4:99 5:30 3-4:77-78 3-4:88, 3-4:90, 3-4:92 5:2 04 5:104 3-4:144, 5:2 32 1-2:165 1-2:98

©2017, Rob Lee

Encryption Keys ENUM\USB

envelope ESE Database

ESE Databases are Dirty! ESEcarve ESECarve.exe ESEDatabaseView eseexport eseinfo esentutl eseutil Event ID Codes Event Log

Event Log Analysis Event Log Analysis Resources Event Log Explorer Event Logging

Event Logging service Event Types eventvwr.exe Evidence of categories Evidence of Execution Timeline Example Evidence of File Opening on USB Device Examining Key Values via Registry Editor Examining MS Office Metadata Examining System Configuration Exchange Dumpster Executable File Execution

© 2017, Rob Lee

4:137, 3-4:145-147, 5:7374, 5:170 1-2:26, 1-2:30, 1-2:33,5:73 3-4:68-71, 3-4:73-75, 34:99-102, 3-4:105-106, 34:110 3-4:124 3-4:184-186, 3-4:2 00, 34:2 10, 3-4:244-245, 34:248, 5:33, 5:61, 5:64-65, 5:78, 5:127, 5:129, 5:194, 5:209, 5:232, 5:243-244 5:64 3-4:184, 3-4:186, 3-4:244, 5:65, 5:232-233 5:233 3-4:245, 3-4:248-249, 5:33, 5:35,5:41 3-4:185 3-4:185 3-4:184,3-4:186, 3-4:200, 34:244,5:65 3-4:151 3-4:281 1-2:38, 3-4:1, 3-4:115,34:222-223, 3-4:225, 34:257-269, 3-4:271, 34:2 76, 3-4:2 79, 3-4:28 1282, 3-4:284, 3-4:288, 34:290, 3-4:293, 3-4:30 1302, 3-4:304, 3-4:306-312, 5:116, 5:246, 5:248 3-4:225, 3-4:257,3-4:259, 3-4:309 3-4:3 09 3-4:308 3-4:258-259, 3-4:262-263, 3-4:2 65, 3-4:267, 3-4:284, 3-4:293 3-4:258-259 3-4:262, 3-4:268 3-4:2 72 1-2:18 1-2:245 3-4:59 1-2:141 1-2:113 1-2:168 3-4:15 3 1-2:241-242

INDEX-f

Exfat exfiltration points Exiftool Smartphone Picture Analysis ExMerge ExpiryTime Explorer Access Explorer Common Dialog Export*Mail Export-Mailbox ixpornng umce SbS Mail Extended MAPI Headers Extensible Storage Engine extensions.rdf extensionssqlite ExtraData Fast User Switching Favorites *

File and folder Object Access Success and failure file Carving

file Download

File Knowledge

File Knowledge Physical Location File List File Opening/ creation

1-2:67, 1-2:69, 3-4:43, 34:88 3-4:58 1-2:114 3-4:157-158 5:51, 5:55-56, 5:106-108 3-4:31 1-2:227 3-4:158 3-4:158 5-4 ibb

3-4:130 3-4:151, 3-4:246,5:32-33 5:190-19 1, 5:193 5:134, 5:190, 5:193 1-2:256 3-4:2 $1 1-2:157, 3-4:13, 3-4:309, 5:22, 5:68, 5:77-79, 5:96, 5:98, 5:106, 5:111, 5:123, 5:125 3 4:2h8 1-2:6, 1-2:14, 1-2:21, 1-2:50, 1-2:65, 1-294, 1-2:101, 12:103, 1-2:109, 1-2.116119, 1-2:124, 5:12 1-2:18, 1-2:81, 1-2:207, 110,1-2:4 ,3-4:1 3,34:239, 3-4:3 12, 5:61, 5:17517, 5:185, 5:248 1-2:18, 1-2:210-211,12:213, 1-2:215, 1-2:231, 12:235, 1-2:249, 3-4143, 34:239, 3-4:3 12, 5:248 1-2:18, 1-2:210 1 2.40,3-4:30 1-2:18, 1-2:2 1 ), 1-2:2 7, 1 2:219, 1-2:221-222, 1, %- :1 3,? 2:28 4:219-220, 5:248 1-2:221-222 -

fileMRU fILENAME LAYER fILETIME find Last Drive Letter: External USB Hard Drives firebug Firefox and SQLite firefox Auto-complete: What was the user Typing firefox cache2 Firefox Cache: Viewing the Browser Stockpile firefox Cookies: Goinh Diep intf Website Activity

INDEX -8

©2017, Rob Lee

3-4:232, 5:71, 5:86 3-4:82 5:189 5:134 5:18 1 5. 17 5:145 5: 53

Firefox Download History: Examining what was downloaded firefox Extensions Firefox forensic Methodology firefox Major Version Releases firefox Privacy Settings Firefox Session Restore Firefox Versions firewall Logs First Explored -

-

5:175 5:189-190 5:192 5:131 5:187 5:185 5:129-130, 5:134, 5:182, 5:193 1-2:38 3-4:3 8, 3-4:43 -

Focus Count focus Time forrnhistory.sqlite

-

-

- -

-

-

-

1-2:241-242 1-2:241-242 1-2:105, 5 134, 5:181, 5:183, 5187, 5:193 1-2 29-30, 1-2:37-38, 1 2:40, 1-2:52, 1-2:55, 1-2:59-

FTKlmager

-

GA Cookie Cruncher Geo-Location of MAC Address/SSID Global Object Access

5: 163 1-2:196 3-4:285

Google Analytics Cookies Session Tracking Google Analytics Cookies Traffic Sources C” Analytics Cookies unique Visitors

5:160 5:161 5:159

‘

1-2-

‘

119,

5:206, 5:221-222 1-2:128, 1-2:130 3 :64 1-2 72 1-2:244 3-4:153-154 3-4 153 1 2:29-30, 1 2:165, 3-4 178, 3-4:190, 3-4:192, 3-4:198, 3-4:208-2 09, 3-4:2 12, 34:2 14, 3-4:2 16, 3-4:23 1233, 3-4:235, 5:12, 5:49, 5:74, 5:159-161, 5:204 1-2:29-30, 1-2:i 5, 3-4:178, 3-4: 190, 3-4:192, 3-4:198, 3-4:208-209, 3-4:212, 34:214,3 i:216,-4:2%

Group Information GIJID folder Guidelines for Media Sanitization GUIDs for UserAssist Hard Delete Hard-deleted Hash

HASH

-

©2017, Rob Lee

INDEX 9 -

hiberfiLsys Hindsight Chrome forensics hindsightpy Historical Networks History Artifacts in Firefox: Investigating Sites Visited History database History files

RistoryJES HomeGroup Host-based E-mail Host-based E-mail Review How Does PhotoRec Work? How File Carving Works: Recovering Deleted files flow was the Web Page Requested? Visit Types in firefox HTMLS Web Storage Identify the Microsoft OS Version Identifying Logon Sessions Identifying Synchronized IF History Ito Data Locations IF 11 Data Locations IF Cache folders IE Cache Timestamps IF Data Location IF Download History IE Session Recovery IF Session Recovery folders IF Session Recovery Form Data IF Synchronization IE1O

3-4:147

1-2:120 1-2:118 5:141 5:134, 5:170 5:171 1-2:170 3-4:277 5:108

5:24 5:26 5:46

5:51 5:37 5:61 5:81, 5:83, 5:90, 5:11% 5:83

5:90

IF 10+ Cache Metadata: WebCacheV*dat IE1I

IF11 Tab Synchronization IFS 1E9

NDEX -10

233, 3-4:235, 5:12,5:49, 5:74,5:159-161, 5:204 1-2:27-28, 1-2:105, 5:235, 5:239 5:221-22% 5:222 1-2:185-186, 1-2:191 5:138 5:29, 5:14%, 5:197-200, 5:202, 5:208,5:221 3-4:218, 5:17, 5:21-22, 5:28, 5:31, 5:39, 5:44, 5:57, 5:68, 5:74, 5:78, 5:135, 5:139, 5:143 5:22, 5:29-33 1-2:186, 1-2:199 3-4:118, 3-4:133, 3-4:144, 3-4:147-148, 3-4:164

©2017, Rob Lee

5:92, 5:98 3-4: 140, 5:20-21, 5:24, 5:28-30, 5:32-33, 5:39,5:46, 5:48-49, 5:51, 5:55, 5:57-58, 5:61, 5:68-69, 5:73, 5:92, 5:114, 5:121, 5:206, 5:233 5:48 3-4: 140, 5:20, 5:26, 5:46, 5:57-58, 5:100,5:102, 5:108, 5:118, 5:127 5:102 3-4:17, 5:20-21, 5:81-83, 5:171, 5:173 5:20-21, 5:28-3 1, 5:39, 5:44,

5:55, 5:62, 5:68, 5:74, 5:83, 5:111 1-2:12, 1-2:84, 1-2:103,12:105-108, 1-2:248, 3-4:48,

IEf

?

---

115 logs Image Mounting Image RAM In-Reply-To Index.dat

indexiitrnl INetCache

INetookies INetilistory 1Nf02 Information:

mode mode number InPrivate Browsing Mode InPrivate Session recovery instalLrdf Internet Evidence Finder

Internet Explorer Cookies: Digging Deep into Website Activity Internet Explorer Credential Manager Internet Explorer History: Investigating Sites Visited Internet Toolbar InternetShortcut IS_REDIRECT_MASK iSSI jmp.exe jump

©2017, Rob Lee

A

fl7

¶

A1

6

)

-

Li,

5:2ii,. 1-2:38 1-2:51-52, 1-2:55 1-2:24-26, 1-2:37 3-4:128 1-2:103, 1-2:120, 5:20-21, 5:24, 5:28-32, 5:35, 5:37, 5:39, 5:46, 5:49, 5:51, 5:5556, 5:62, 5:111, 5:114, 5:146, 5:171, 5:173, 5:227, 5:244, 5:248 5:142 3-4:140, 5:26, 5:46, 5:48, 5:57, 5:114 5:26, 5:55, 5:57 5:57 3-4:203-205 1-2:271, 3-4:210, 3-4:228, 3-4:298, 5:53, 5:61, 5:77, 5:166 1-2:72, 3-4:37 3-4:3 7 5:227 5:230 5:190-191 1-2:33, 1-2:103, 1-2:105106, 5:110, 5:206, 5:209, 5:211, 5:237, 5:239, 5:242 5:53

5:73 5:28 1-2:241 5:77 5:201 3-4:1 ,9 1-2:270, 3-4:22-23, 3-4:25, 3-4:27 1-2:39, 1-:254, 1-2:2r7, 12:27t) 3 4:8, 3-4: It), 3-4:13, 3-4:15, 3-4:18-22, 3-4:27, 34:60, 3-4:225, 3-4:239, 34:312, SIt 4,5:248

INDEX-il

3-4:22 1-2:254, 1-2:270, 3-4:8,34:10, 3-4:15,3-4:19-20,34:22, 3-4:239,3-4:312, 5:104 3-4:139

Jumplist Parsing Utility Jmnplists

Kernel OST Viewer Kernel Outlook PST Viewer Key Last Write Time

3-4:135 1-2:13 7, 1-2:154, 3-4:44-45

known folder

1-2:255

Last Access Time ON/Off Last Command Executed Last Commands Executed Last Explored Last Failed Login

1-2:181 1-2:238 1-2:133, 1-2:238 3-4:38, 3-4:43 1-2:161, 1-2:167, 1-2:207, 1-2:249, 3-4:113, 3-4:239, 3-4:3 12, 5:248 1-2:128, 1-2:161-162, 12:167, 1-2:207, 1-2:249, 34:113, 3-4:239, 3-4:312, 5:248 1-2:241, 3-4:216

LastLoglu

Last Run Time Last Time Device Connected

3-4:51,3-4:69,3-4:71, 3-

Last Write Time

LastAccessTime LastDateConnected LastKnowuGood LastRoamed LastYisitedMRU Layout.ini Leak libesedb Live Shadow Volume Examination LNK File Analysis

LNK Target file Analysis Using lpexe LNK: ShellLinklleader Local File Access In JE History Local Storage Local Stored Objects LogFiles Logged:

INDEX-12

©2017, Rob Lee

4:98,3-4:101,3-4:106 1-2:136-137, 1-2:139, 12:141, 1-2:154, 1-2:163, 12:178, 1-2:190, 1-2:228, 12:231, 3-4:30, 3-4:44-45, 34:86, 3-4:96, 3-4:231, 34:233 5:33 1-2:190 1-2:174 5:93 1-2:227, 1-2:231, 1-2:233, 1-2:235 3-4:209 3-4:127, 3-4:170, 5:49, 5:88, 5:235,5:239 3-4:184-185 1-2:89 1-2:267,1-2:270-271,12:2 74, 3-4:69, 3-4:77, 34:94, 3-4:106 1-2:271 1-2:257 5:39 5:170-171, 5:224 5:166 1-2:38, 5:39 3-4:273

Logically Mounted Images Logon count Logon Event

1-2:54 2: 1-2:201, 3 4:266 267, 34:271, 3-4:275, 3-4:281, 34:293-294, 3-4:296 3-4:2” -4:275- ‘7.3-

Logon Type

Logon Type Codes lp.exe Machinelnfo.dat Magnet forensics Mail Transfer Agent MAPI Mapi-Client-Submit-Time Mapi-onversation-Index Mapi-EntrylD Mapi-Message-fLags Mapped Image List Mapped Images Mass Storage Class Mass Storage Class Devices Media Access Control Media Transfer Protocol Media Transport Protocol Memory Acquisition memory.dmp Memoryze Message-ID Message ID Threading MessageOps Exchange Migrator METADATA LAYER Microsoft ActiveSync Microsoft Azure Microsoft Exchange Microsoft Messaging Application Programming Interface Microsoft Office RecentDocs Microsoft Outlook MIME mini-start MiTeC Structured Storage Viewer mklink Mobile E-mail Modified

©2017,RobLee

3-4:2 75 1-2:270 271, 3-422 5:102, 5:106 1-2:34, 1-2:84, 1-2:103, 5:2 37, 5:242 3-4:124-125, 3-4:127 3-4:1304 1 3-4: 130 -4:1 0 3-4:13t) 3-4:130 1-2:60 1-2:60 3-4:5 3, 3-4:60, 3-4:110 3 4:60, 3 4 10 3-4:302 3-4:57 3-4:54 1-2:24-25, 1-2:27 1-2:28 1-2:33 3 4:124-125, 3-4128 -4:12 3-4:167 1-2:68-69, 1-2:118 3-4:177 3-4:16 7 3-4:13 0, 3-4:137, 3-4:151, 3-4:159 4: 1-2:22 1 3-4:124, 3-4:130, 3-4:134135, 3-4:143, 3-4:147, 5:35 1-2:114, 3-4:122, 3-4:124, 3-4:145 146, 3-4:151 -4:8 5:86, 5:104 2:89 3-4:118, 3-4:177 1-2:16, 1-2:79, 1-21.41, 12:264-265, 1-2:268, 12:271, 3-4:20-21, 3-4:25, 3-

INDEX

13

4:103, 3-4:154, 3-4:192, 34:198, 3-4:222,3-4:228230, 3-4:232, 34:236, 34:245, 5:35, 5:51, 5:53, 5:55, 5:64, 5:78-79, 5:145-147, 5:150-151, 5:168, 5:236 5:35, 5:51, 5:55 3-4:68-69, 3-4:71, 3-4:77, 34:80,3-4:82-83, 3-4:86-87, 3-4:105-106, 34:231, 34:233 3-4:68-69, 3-4:71, 3-4:77, 34:80, 3-4:82-83, 3-4:86-87, 3-4:105-106, 3-4:23 1, 34:233 3-4:69, 3-4:7 1, 3-4:87, 34:99,3-4:101,3-4:106 5:175, 5:179 5:139, 5:175,5:179 3-4:25, 3-4:172, 5:16, 5:18, 5:129,5:204 5:142-143 5:143 1-2:139, 1-2:217, 1-2:219, 1-2:238, 3-4:37,3-4:43,34:45 3-4:37, 3-4:43, 3-4:45 1-2:139 3-4:50, 3-4:53-54, 3-4:57, 34:59, 3-4:61, 3-4:68, 3-4:7576, 3-4:80, 3-4:82, 3-4:8687, 3-4:98, 3-4:105, 3-4:108, 3-4:110, 3-4:177, 3-4:265 3-4:54, 3-4:59, 3-4:80, 34:110 3-4:54 5:29-30, 5:3 7, 5:41 3-4:124-125, 3-4:127 3-4:39-41., 3-4:50, 3-4:5354,3-4:57-59,3-4:61, 34:63-66,3-4:75, 3-4:110, 34:124-125,3-4:127 3-4:58-59, 3-4:61, 3-4:6364, 3-4:75, 3-4:110 3-4:57 5:37 1-2:241 1-2:191

ModifiedTime Mountedflevice

MountedDevices

MountPoints2 moz_annos mozplaces Mozilla Firefox MoziflaHistoryView MozillallistoryViewer

MRUUst MRUL1stEx MR{JLists MSC

MSC Devices MSC Overview MSHist MTA MTP

MTP Devices

MTP Overview Multiple Tables Per Artifact Name of GUI Application Nametype Network Diagnostics Network Interfaces

INDEX -14

3-4:304 1-2:182-183

© 2017, Rob Lee

Network Location Awareness Network Types Networkbased mail encryption NetworkList New-MailboxExportRequest Nirsoft

1-2:185 1-2:191 34:146 1-2:186, 1-2:190-191 3-4:157-158 1-2:241, 3-4:134, 3-4:147, 3-4:165, 3-4:218, 3-4:222, 3-4:245, 3-4:248, 5:33, 5:35, 5:41, 5:62, 5:73-75, 5:77, 5:79, 5:111, 5:142-143, 5:147, 5:150-151, 5:155, 5:168, 5:176-177, 5:192, 5:2 04, 5:22 1 5:77, 5:79 5:168 5:150 5:142 1-2:185486,5:81 5:45 3-4:153 5:81 1-2:107 1-2:78 1-2:54,1-2:59,1-2:69,12:71, 1-2:73-75, 1-2:77-81, 1-2:87, 1-2:120, 1-2:181,34:43,3-4:45, 34:88,34:204, 3-4:223,5:51.5:9293,5:202 1-2:73 1-2:121 1-2:165 1-2:38, 1-2:42, 1-2:130-131, 1-2:133-135, 1-2:142, 12:148, 1-2:156-159, 12:201, 1-2:209, 1-2:211, 12:213, 1-2:215, 1-2:217, 12:2 19, 1-2:22 1, 1-2:229, 12:233, 1-2:237-239, 12:241, 1-2:245, 1-2:247,34:3 1, 3-4:38, 3-4:40,3-4:4445,3-4:69,3-4:71, 34:8687,3-4:99,3-4:106, 5:68-69, 5:71, 5:111, 5:119, 5:127 1-2:38, 1-2:42, 1-2:130-131, 1-2:133-135, 1-2:142, 12:148, 1-2:156-159, 12:201, 1-2:209, 1-2:211, 12:213, 1-2:215, 1-2:217, 12:219, 1-2:221, 1-2:229, 1-

NirSoftFavoritesVlew NirSoft FlashCookiesView NirSoft MozillaCacheView NirSoft MozillallistoryView MA no_cache_write non-IPM NoReopenLastSession Notable 11W Carved Artifacts Notable NTFS Artifacts NTFS

NTfS Features NtfsDisableLastAccessUpdate NTLM NTUSER.dat

ntuser.dat

©2017,RobLee

INDEX-15

Object Auditing Events Office 365 encryption Office 365/2013 fIIeMRU Keys Offline Folder Files Offline Registry Viewhig Forensicating the Registry OLK Open Registry Hive OpenSaveMRU Orphan .OST OS Artifacts Other Host-based Formats Outlook Attachment Recovery pagefilesys ParentlDPrefix Parsing Metadata in Files Parsing WebCacheV*dat Passware Password Policy persistent Personal Storage Table pLexe PGP/MIME PhotoRec PhotoRec Sorter Physical Location

Physically Mounted Images PIDL

placejd placessqlite

Porn Mode Position POSIX

Pr_Lastyerb_Executed

INDEX -16

© 2017, Rob Lee

2:233, 1-2:237-239, 12:241, 1-2:245, 1-2:247, 34:3 1, 3-4:38, 3-4:40, 3-4:4445, 3-4:69, 3-4:71, 3-4:8687, 3-4:99, 3-4:106, 5:68-69, 5:71, 5:111, 5:119, 5:127 3-4:286 3-4:146 1-2:222 3-4:137 1-2:142 3-4:12 1, 3-4: 140, 3-4:167, 5:11, 5:73, 5:236 1-2:142 1-2:227-229, 1-2:23 1, 12:235 3-4:137 3-4:58, 5:6 3-4:142 3-4:140 1-2:28-30, 1-2:38, 1-2:105, 5:228, 5:235, 5239 3-4:71, 3-4:80 1-2:111 5:33 1-2:33 1-2:16 1 1-2:235, 5:5, 5:53, 5:166, 5:170, 5:186 3-4:134 3-4:217, 3-4:220 3-4:145 1-2:119-121, 1-2:123 1-2:123 1-2:18, 1-2:207, 1-2:210, 34:113, 3-4:119,3-4:239,3-. 4:312,5:248 1-2:54 1-2:228-229, 1-2:231,12:233, 1-2:242-243, 12:256,5:194 5:139,5:175,5:179 1-2:105, 5:77-79, 5:134, 5:138-139, 5:141-142, 5:175,5:179, 5:187,5:193, 5:198,5:241-243, 5:248 5:227 1-2:223, 3-4:37-38, 5:185 1-2:73 3-4:130

Prefetch

1-2:19-20, 1-2:38, 1-2:98, 34:182, 3-4:208-2 10, 34:212-213, 3-4:215-221, 34:224-22 5, 3-4:2 28, 34:238-239, 3-4:311-312, 5:116, 5:208, 5:217, 5:236, 5:240, 5:246, 5:248

Prefetching prefsjs

1-2:98, 3-4:208-209, 5:208 5:130, 5:138, 5:145, 5:175, 5:186-187 5.227, 5:235 236, 5:239 1-2:192 1-2:16 1-2:186, 1-2:188, 1-2:1901914-2.1 3 1-2. 162 1-2.18, 1-2:133, 1-2:156, 12:210, 1-2:231, 1-2:235, 1-

Private Browsing Mode Private/Home Problem Solving ProfileGuid Profiling Local IJsers Program Execution

7.

All

4:.Ji, 3-4.,, 4:s;2, 5:248 1-2:17, 1-2:241, 3-4:13 1 2:256 5:21-22, 5:37, 5:55, 5:57-58, 5:114, 5:121, 5:132 3-4:164, 5:73-74, 5:111., 5:1.14, 5227 5:138 139,5:175-176, 5:181, 5:183 3-4:163 3-450, 3-4:53, 3-4:55-57, 34.75, 3-4:110 3- 55 1-2:185, 1-2:192, 1-2:198, 3-4:145, 5:11 5:201 1-2:243, 1-2:248, 3-4.48, 34:112,3 4:114,3 4:180,34:238, 3-4:275, 3-4:281282, 3-4:306, 3-4:311-312, 5:116, 5:246, 5:248

Proper Analysis PropertyStore protected mode Protected Storage PRTIME

PST capture PTP PTP Overview Public

QUALIfIER_MASK RDP

ReadyUoost

1-2:98, 3-4:8&-89

Rebuilding Cached Webpages recbin.exe Recent Docs

5:2 06 3-4:205 1-2:19, 1-2:144, 1-2:217, 12:219, 3-4:8

© 2017, Rob Lee

INDEX-if

1-2:139, 1-2:217, 1-2:219, 1-2:221, 3-4:8,3-4:11,34:31, 3-4:69, 3-4:89,34:106 5:2 28 5:81, 5:84,5:88 5:81, 5:88 1-2:161, 3-4:203-205,34:210, 3-4:239, 3-4:312, 5:12, 5:248 3-4:203 3-4:203-%04 5:186 3-4:203, 3-4:205 5:49 1-2:69,5:130,5:138,5:145, 5:175, 5:186-187 3-4:10 1-2:38,1-2:103,1-2:129,12:133, 1-2:135, 1-2:142143, 1-2:150, 1-2:152, 12:156, 3-4:31, 3-4:33, 34:38, 3-4:40, 3-4:45 1-2:2 10 1-2:149, 1-2:159, 3-4:3 8, 34:103 3-4:98 1-2:15-16 5:61 3-4:178 1-2:244, 3-4:175 1-2:241-242, 3-4:2 16 1-2:242-243 1-2:238, 1-2:249, 3-4:113, 3-4:239, 3-4:312, 5:248 1-2:201 1-2:242-243 1-2:242-243 3-4:145-146 3-4:266 1-2:165 5:242 5:82 3-4:37-38, 3-4:44-45 3-4:4 5 3-4:38-40, 3-4:43, 3-4:127, 3-4:155 3-4:137 3-4:177 1-2:105, 1-2:2 11, 1-2:2 13, 1-2:254, 5:187

RecentDocs

Recovering InPrivate Artifacts RecoveryStore RecoveryStore files Recycle Bin

Recycle Bin forensics Recycled Recycler REDR ReFS registered handler Registry Hives

Registry User Activity: Evidence Of RegRipper Removal Time Requires Analysis Responsefleaders Review: forensic E-mail Analysis ROTI3 Run Count RUNCPL RunMRU RunOnce RunPath RUNPIDL S/MIME SACL SAMinside Sanderson SQLItC Recovery Save_Session_History_On_Exit shag sbag.exe Output Analysis SBE scanost.exe SCM Search History

INDEX-18

©2017, Rob Lee

Search Results searchbarhistory Searching

Secure Temp Folder

1-2:154, 3-4:159-160, 5:161 5:183 1-2:150, 1-2:154k 1-2:157, 1-2:211, 1-2:259,3-4:14, 3 4:86-87,3-4:121, 3-4:133, 3-4:149, 3-4:159-160,34:164,3-4:166,3-4:173,34:175, 3-4:185,3-4:200,34:261, 3-4:308,5:49,5:90, 5:132) 5:134, 5:222, 5:236, 5:244 3-4: 140

SecureDirectoiy

5:48

Security Log

3-4:222, 3-4:262-268, 34:2 73, 3-4:284, 3-4:290291, 3-4:308 3-4:263 5:197-198 5:201 1-2:80, 1-2:182, 1-2:201202, 3-4:149, 3-4:164-165, 3-4:246, 3-4:261, 3-4:263264, 3-4:275, 3-4:281-282, 3-4:306, 3-4:312, 5:248 5:185-186, 5:193, 5:196, 5:248 5:186 1-2:105, 5:185-186, 5:193 1-2:38, 3-4:69, 3-4:71, 34:99, 3-4:103, 3-4:106 3-4:103 1-2:62, 1-2:197-198, 12:200, 1-2:255, 3-4:200, 34:284, 5:16, 5:39 1-2:197-198 1-2:227, 1-2:253-258, 12:269, 3-4:1, 3-4:5, 3-4:7, 34:29, 3-4:47 1-2:253, 3-4:47 1-2:2 55 3-4:37 3-4:30-3 2 3-4:37 3-4:44 3-4:3 3 3-4:38-40, 3-4:43 3-4:39-40 1-2:257 1-2:241 1-2:203-2 04

Security Log: Segments SERVER_REDIRECT Services

Session Restore sessionstorebak sessionstore.js setupaphdevJog setupapLiog Shares

Shares and Offline Caching Shell Item

Shell Item AnalysIs Shell Item Artifact Attributes SheliBag GUIDs Shellbag keys SheilBags Analysis Key Items Sheilbags Analysis sbag.exe Sheilflags Based on Windows Explorer SheliBags Explorer SheilBags Explorer Command Line ShellLinkHeader Shortcut File Execution Shutdown Count

© 2017, Rob Lee

INDEX 19 -

1-2:203-204 1-2:203-204 1-2:203-205 5:134 3-4:124 3-4:124-125, 3-4:127 5:196,5:209-210,5:224 1-2:25 3-4:153 1-2:95-96, 1-2:98-99 1-2:25, 1-2:242 5:9 5:242 5:183 5:242 3-4:240-249, 3-4:252-255 1-2:30, 1-2:96-100, 1-2:165, 3-4:8B, 3-4:209-210, 5:12 1-2:97 1-2:186, 1-2:190-191, 12:196, 1-2:207, 1-2:249, 34:113, 3-4:239, 3-4:301302, 3-4:304, 3-4:311-3 12, 5:116, 5:246,5:248 3-4:146, 3-4:159, 5:161 1-2:178 1-2:6,1-2:14,1-2:21,1-2:50, 1-2:65, 1-2:94, 1-2:101, 12:103, 1-2:105-106, 12:108-109, 1-2:116 1-2:256 3-4:11, 3-4:18, 5:86, 5:104 3-4:268 1-2:9 6, 1-2:99 5:170, 5:240,5:248 3-4:3 12, 5:248 3-4:266 1-2:201-202 1-2:169, 1-2:206 3-4:3 04 1-2:83, 1-2:85, 1-2:98 5:93, 5:100, 5:102, 5:104, 5:110, 5:114 3-4:8, 3-4:10, 3-4:17, 3-4:25, 3-4:27, 3-4:143,3-4:151,34:264, 3-4:275 3-4:198 3-4:189 3-4:189-192, 3-4:194, 34:239, 3-4:312, 5:12, 5:248

shutdown count Shutdown Information Shutdown Time signonssqlite Simple Mall Transfer Protocol SMTP SNSS SODDI Soft Delete Solid State Drives Some Other Dude Did It Source: SQLite Deleted Data SQLite Manager: formhistory.sqlite sqlparsepy srum SSD SSD Trim SSID

SSL StandardBias StreamCarving

StringOata Structured Storage Viewer Success Audit sudden power loss Super Cookie Suspicious Services System Access Control List System Boot Autostart Programs System Configuration Overview System Event Log System Restore TabRoaming Tasks

Thumbcache Viewer Thumbnail forensics thumbsdb Thumbsdb

INDEX 20 -

© 2017, Rob Lee

Time Manipulation Time Zone Information thnestamp phenomenon TLS Top Sites Trackerlnformation Tracking account Usage Tracking Account Usage Remote Desktop Protocol Tracking BYOD and External Devices transition

3-4:130, 3-4:290-291 1-2:178-179 3-4:140 3-4:12 7, 3-4:146 5:197-198,5:217-218, 5:220, 5:224 1-2:256 3-4:271-2 72, 3-4:279,34:281-282 3-4:281-282 3-4:293-294,3-4:296

5:32, 5:55, 5:131, 5:175, 5:196, 5:199-201, 5:209210, 5:217, 5:222 3-4:146 1-2:33, 1-2:35 1-2:215 1-2:133, 5:68-69, 5:200, 5:208, 5:220 1-2:2 15 1-2:144, 5:68-69, 5:71, 5:93-94, 5:96, 5:98, 5:100, 5:106, 5:112, 5:114, 5:119, 5:127, 5:139, 5:227 5:68,5:71,5:106 3-4:263 1-2:242-243 1-2:242-243 1-2:15, 1-2:192, 1-2:244,34:54,3-4:198, 5:232 1-2:29,1-2:69,1-2:71-72,12:85, 1-2:103, 1-2:118, 12:143, 1-2:149, 1-2:259, 34:137, 3-4:142-143, 34:165, 5:29, 5:136, 5:228, 5:232, 5:237, 5:239, 5:241244 1-2:15 1-2:74-75, 1-2:80, 1-2:154, 3-4:25, 3-4:121, 3-4:135, 34:203, 3-4:232, 3-4:249, 5:61, 5:90, 5:102 3-4:15 3-4:5 1, 3-4:68-69, 3-4:7375, 3-4:77, 3-4:88, 3-4:90, 34:94, 3-4:96, 3-4:103, 34:105-106, 3-4:294 5:147, 5:154, 5:159-160, 5:183, 5:202 1-2:60, 1-2:75, 3-4:57

Transport Layer Security Truecrypt Typed Paths Typed URLs TypedPaths TypedURLs

TypedURLsTime Types of Event Logs UIQCUT UITOOLBAR IJMS Unallocated

Understanding Evidence Created UNICODE

Unique AppiD Unique Serial Number

Unix epoch Unmount

©2017, Rob Lee

INDEX-21

User Communication User Files User:

1-2:103, 1-2:105, 1-2:133, 1-2:144,1-2:157, 1-2:194, 1-2:215, 1-2:273, 3-4:17%, 5:21, 5:28, 5:35, 5:48-49, 5:55-56, 5:61, 5:68-69, 5:71, 5:73,5:77-7%, 5:86, 5:93-94, 5:96, 5:98, 5:100, 5:104, 5:t06, 5:108,5:112,5:114, 5:119, 5:123,5:125, 5:127, 5:137-139, 5:141, 5:143, 5:145-147, 5:150,5:161, 5:168, 5:175-176,5:179, 5:191, 5:197-200, 5:208209,5:213,5:218,5:220221,5:227, 5:239 5:28,5:239 1-2:18, 1-2:210,3-4:113,34:2 39, 3-4:312,5:248 3-4:68-69, 3-4:88, 3-4:90, 34:94, 3-4:96, 3-4:105-106 3-4:99, 3-4:107 3-4:68-70, 3-4:72-74, 34:80, 3-4:99-102, 3-4:105107 1-2:20%, 1-2:210, 1-2:249, 3-4:113, 3-4:239, 3-4:312, 5:248 1-2:18 1-2:76-77 5:17, 5:170, 5:192

user_pTef

5:130, 5:175

URL

URL History USU Key Usage USB Unique Serial Number USBfleviceForensics USBSTOR

User Comms

1-2:19, 1-2:156-157, 12:239, 1-2:241-244, 12:248-249, 3-4:30, 3-4:112114, 3-4:180, 3-4:238-239, 3-4:311-312, 5:116, 5:236, 5:246, 5:248 1-2:239, 1-2:241-242 1-2:241 3-4: 140 5:157, 5:159-160, 5:163 5:157,5:160,5:163 5:157, 5:161 5:157 5:157 5:157, 5:161463 3-4:76 5:136 3-4:143 3-4:51

USERASSIST

UserAssist Key UserAssist Key Tracks: USNJouruaJ utma utmb utmc

utmv utmx

utmz UVCView Validate your Tools! vCard Vendor/Make/Version

NDEX-22

©2017, Rob Lee

VHD Virtual Hard Disk

3 4:155, 3-4:224 3-4:155

visits

5:44,5:78,5:110,5:136, 5:138-139, 5:157, 5:159, 5:161, 5:197-200, 5:202, 5.217-218 2:24-27, 1-2:34 1-2:24, 1-2:33, 1-2:96, 5:12 3-4:94, 3-4:9 6 1-2:83-85, 1-2:87

Volatile Data Volatility Volume Serial Number Analysis Volume Shadow Copy

vssadmin Wear Leveling Web Browser Bookmarks: Looking at Saved Locations Web History Web Storage

1-2:87, 1-2:89 1-2:97-100 5:77 1-2:105, 512 5:111-112,5:134,5:170171, 5:173, 5:221, 5:224, 5:240 5:134 5:170-171 5:73-75, 5:111 5:35 5:55 5:196, 5:202, 5:225 5:2 02 3-4:164 3-4:267 3-4:119 3-4:121 5:17 3-4:2 66 5:13 2 3-4:55-56 1-2:196 1-2:19( 1-2:98

webappsstoresqlite webappstore2.sqlite WebBrowserPassView WebCacheV*.dat History Tables WebacheV*dat WebKit Webkit Format Webmail forensics What are We Likely to find? Default Security Logging What can li-mail Forensics Tell Us? What can We Analyze What can we find During Browser Forensics? What is Recorded? Security Event Categories Where to Start: firefox file Locations WIA Wigle wigle.net Will disk defragmentation be disabled by default on SSDs? Will Superfetch be disabled on SSDs? Windows Event Log Windows Events Windows Forensic Analysis Overview

Windows Image Acquisition Windows LNK Parsing U ility Windows Offline files Cache Windows Portable Device

1-2:98 3-4:262 3-’ :25k 1-2:102, 1-2:126, 1-2:252, 3-4:6, 3-4:49, 3-4:116, 34:181, 3-4.256, 3-4:313, 5:14, 5:247 :55-5( 1-2:270 1-2:199 3-4:55-5 7, 3-4:69, 3-4.7778, 3-4:80, 3-4:94, 3-4:106 .

©2017, Rob Lee

-

INDEX -23

3-4:184

Windows Search Database Windows Server Backup Windows Time Rules Windows Vault windowsedb windows_ieaçXXX Wininet W1nPMEM Wiped file Wired

3-4:155

1-2:79 5:73-74, 5:127, 5:227 3-4:184-186, 3-4:200 5:58 5:93-94

S

1-2:27

1-2:72 1-2:182, 1-2:190-19 1, 34:247, 5:157, 5:200 1-2:128, 1-2:182, 1-2:190191, 1-2:193, 1-2:196, 12:207, 1-2:249, 3-4:113,34:239,3-4:241,3-4:247,34:301-302, 3-4:304k 34:306, 3-4:312,5:248 3-4:301-302 3-4:301 1-2:211, 1-2:213, 1-2:249, 3-4:113, 3-4:239, 3-4:312, 5:248 3-4:55-57, 3-4:59, 3-4:6367,3-4:110 3-4:59, 3-4:63-67 3-4:64 3-4:155 3-4:155 3-4:125 3-4:124-125 3-4:124-125, 3-4:127 3-4:262 1-2:156, 1-2:22 7 1-2:80-81 5:84, 5:90, 5:114, 5:127

Wireless

Wireless Network Geolocation WLAN-Autoconfig Log WordWheelQuery

WPD WPDNSE WPDNSE Temp folder WSB WSBExcbange.exe X-IP X-Mailer X-Originating-IP X-Path YARU ZoneJdeutifler {GUID}.dat

INDEX -24

© 2017, Rob Lee