1 / 26

Lecture 6 Forensic Analysis of Windows Systems (contd. after lecture 4)

Lecture 6 Forensic Analysis of Windows Systems (contd. after lecture 4). Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu http://jjcweb.jjay.cuny.edu/ssengupta/ Fall 2010. What we will cover today. Forensic analysis of Windows systems Learning where to look

chad
Download Presentation

Lecture 6 Forensic Analysis of Windows Systems (contd. after lecture 4)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 6Forensic Analysis of Windows Systems(contd. after lecture 4) Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu http://jjcweb.jjay.cuny.edu/ssengupta/ Fall 2010

  2. What we will cover today • Forensic analysis of Windows systems • Learning where to look • Understanding compound file types • Viewing the structure • Recover and Analyze • Hands-on Practice

  3. The Recycle Bin • Understanding how the recycle bin works is critically important for forensic examiners • Stores many significant info which is usually overlooked at the time of examination • The recycle bin is a system folder of Windows • Operates in accordance with different rules than those govern standard folders • The folder is named as • “Recycled” in Windows 95/98 • “Recycler” in Windows NT/2000/XP • E.g., open a dos window and go to c drive • Type cd recycler • It will open up the recycle bin folder

  4. The Recycle Bin (Continued) • E.g. recycler folder in XP

  5. The Recycle Bin (Continued) • When a file is deleted, it is moved to the Recycle Bin • On windows NT/2000/XP, the first time a user puts a file in the recycle bin, a subfolder is created in c:\recycler • The subfolder is named with the user’s SID and contains its own INFO file, making it possible to determine which user account was used to delete a file • When a file is deleted, it results in three steps: • 1) the deletion of the file’s folder entry in the folder in which the file resided • 2) the creation of a new folder entry for the file in the Recycle Bin • 3) the addition of information about the file in a hidden system file named INFO (or INFO2 depending on windows systems) in the Recycle Bin

  6. The Recycle Bin (Continued) • E.g. recycler folder in XP

  7. The Recycle Bin (Continued) • So, although Windows does not store the deletion date and time of a file in its folder entry • Windows records the date and time of deletion in the INFO file when a user sends a file to the Recycle Bin • Other information stored in the recycle bin include: • The file’s location prior to being sent to the Recycle Bin • It’s index number in the Recycle Bin • It’s order in the Recycle Bin • 0 assigned to the first file in the Recycle Bin after the Recycle Bin is emptied • Its new filename in the Recycle Bin • Every file sent to the recycle bin is renamed in the following format • D[orginal drive letter of file][index no][original extension] • E.g. hw1.txt residing in C:\My Documents was sent to empty recycle bin • Its new name is DC0.txt

  8. The Recycle Bin (Continued) • An INFO file is often effective in confirming or refuting computer user’s explanations regarding the presence or history of computer files recovered from their drives • It contains metadata relating to a particular file such as the date of deletion and the original path • INFO file records tell stories about file histories and the user’s state of mind • Files deleted by the OS do not leave a record in the INFO file • INFO file record indicates that a user knowingly deleted the file • If a user claims a file was downloaded without his notice during internet activity, the file’s location when it was deleted may tend to support or refute that contention • If a user deleted a particular file residing • A) in a default download folder or in the Temporary Internet Files folder • B) My Document\My Favorite Things\My Pictures…

  9. The Recycle Bin (Continued) • When the user elects to empty the Recycle Bin, • Windows deletes the file (such as DC0.txt) in the Recycle Bin and also deletes the INFO file • More sophisticated techniques are then needed to recover the files

  10. The Recycle Bin in Windows Vista / 7 • The contents of the recycle bin has changed in Windows Vista/7 • The name of the folder itself has changed to “$Recycle.bin” • Open dos command prompt and go to c drive • Type cd $Recycle.bin • The INFO2 file that is present in Windows 2000/XP/2003 has been removed • In Windows Vista, two files are created when a file is deleted into the recycle bin • Both file have the same random looking name, but the names are preceded with a “$R” or “$I” • The file with the “$R” at the beginning of the name is actually the data of the deleted file • The file with the “$I” at the beginning of the name contains the path of where the file originally resided, as well as the date and time it was deleted

  11. Case study: Viewing Recycle Bin using EnCase • How do you view recycle bin using EnCase? • (you do not have to acquire the disk) • Locate recycle bin using EnCase • Locate the systems ids • Locate the deleted files

  12. Shortcut Files • The shortcut files refer to shortcut links for quick viewing • Users open a file or folder or start an application program by double clicking on the appropriate shortcut icon • Where are the shortcut files stored • Folder location of shortcut files • Windows\Desktop • Windows\Recent • Windows\Start Menu • Windows\Send to • The existence of shortcut files can serve to support the contention that a user had knowledge that a particular file or application was present on the computer • Although actual files might have been deleted

  13. Shortcut Files (Continued) • The Window\Recent menu folder contains shortcut files that point to data files that were opened on the computer • By default 12/15 shortcuts are maintained • REALLY?? • The Window\Start menu folder contains shortcut files that point to files and programs that appear on the Start Menu • The shortcut files can provide evidence that an application program, which is no longer present on the computer, was installed at one time • The date and time stamps on the shortcut files can help to identify the date that the installation occurred

  14. Viewing “desktop” and “recent” folder

  15. Case Example: Shortcut Files A special agent of the Illinois Attorney General’s Office investigated a case involving a CP. The agent located a shortcut file in the Windows\Desktop folder whose target was a screensaver program. Upon examining the screensaver program, the agent found that it caused 30 images depicting CP to be displayed on the computer’s monitor when the shortcut was activated. This example is applicable to the investigation of many forms of computer crime

  16. Case study: Viewing Shortcut files using EnCase • How do you view shortcut files using EnCase? • (you do not have to acquire the disk) • Locate shortcut files • Analyze • The shortcut files also contain the fully qualified paths of the files that they refer to • (one of the greatest features for investigation) • Also known as Symbolic link in EnCase • Try locating this using EnCase Report

  17. THUMBS.DB • What is Thumbs.db? • Windows allow the user to set the properties of any folder to allow the viewing of any graphics files in that folder as thumbnails • System files “thumbs.DB” are created with info of these thumbnails • These system files also speed up the processing of graphics hence the reason they were created in the Microsoft operating systems • “thumbs.DB” contains info of each graphics file in the folder • slightly altered headers • A listing of files in the folder and their modification dates are also contained in thumbs.DB file • Compound file • The artifacts can be significant since it is not perfectly synchronized with the actual contents of the folder • The user may delete files from the folder • But thumbs.db can restore the files!!!

  18. Case Example: THUMBS.DB • Thumbs.DB file may show that files existed on the volume and it may further show the modification dates of those files even though the files did not exist at the time of the examination In a recent federal criminal investigation, the examiner located a folder containing more than 400 evidentiary images. When the examiner questioned the nature of the thumbs.db file, further analysis showed its function and contents. The file was found to contain more than 900 images, many representing files of evidentiary value that had been deleted from the folder.

  19. THUMBS.DB (contd.) • Windows stores the following formats as thumbnails: • JPEG, BMP, GIF, TIF, PDF and HTM • Each thumbnail created in a folder is represented in this thumbs.db database • Each folder with initiated thumbnail views will have thumbs.db file

  20. THUMBS.DB (contd.) • The early versions of thumbs.db files (in Windows ME and Windows 2000) contained • the filename • the drive letter, and • path to that image • Later versions, (in Windows XP and onward), store • its filename • But NOT the drive letter and path

  21. THUMBS.DB in Vista and onward • The thumbnail cache that is used in Windows XP/2003, named THUMBS.DB has been replaced with a centralized thumbs database • Centralized thumbnail database is located in the following folder: • \Users\[User Account Name]\AppData\Local\Microsoft\Windows\Explorer • Inside there are a few files with prefix thumbcache: thumbcache_xxxx.db • You can no longer delete thumbs.db • dmThumbs (a tool for analyzing thumbs.db) • http://www.dmthumbs.com/

  22. Thumbs.db (case study) • Let’s do a simple hands-on practice. • We will view some pictures, will delete it afterwards and then see if we can investigate and restore it using EnCase.

  23. Other compound files • EnCase Forensic can view the structure of the following types of compound files: • Thumbs.db files • Zip files like .zip, .gzip, and .tar files • Outlook Express (DBX) • Outlook (PST) • Exchange 2000/2003 (EDB) • Lotus Notes (NSF) for versions 4, 5, and 6 • Mac DMG Format • Mac PAX Format • Korean Office Doc

  24. INDEX.DAT • Internet Explorer caches website that a user visits • When a user visit a site, IE first checks to see if the file is already cached • If a cached file is found, IE uses cached file rather than downloading it • IE stores cached files in the Temporary Internet Files folder • It also assigns each cached file an alphanumeric file name and maps the new file names to the actual filenames in system files • Internet Explorer uses file • Earlier version: MM256.DAT (to store the reference of web pages whose address were less than 257 characters) and MM2048.DAT (for pages whose address were between 257 and 2048 characters) • Newer version: index.dat • Describe each file: URL, dates of modification by server and access by the user

  25. Case Example: index.dat In another recent case, detectives investigated a woman’s complaint that she was the victim of stalking by a former boyfriend. The woman claimed that the former boyfriend was sending threatening e-mail to her current boyfriend. During investigation, she made another report alleging that she had been the victim of a home invasion during which she was assaulted, and she again identified the suspect as the same ex-boyfriend. When the detectives examined the woman’s computer, they found that the temporary Internet cache files contained references to an America Online account. Further examination of the Internet cache files and the records of America Online showed that the woman had set up an account with a screen name similar to that of the former boyfriend, and had sent the ‘threatening’ e-mail message herself.

  26. Lab Practice • Download abc.zip from class website. • You are given this evidence file. We do not have any idea what does this contain. Can you figure out using EnCase?

More Related