Real-Time Compilation Technologies and Instruction Parallelism
Download
Report
Transcript Real-Time Compilation Technologies and Instruction Parallelism
1
Lecture 6
Forensic Analysis of Windows Systems
(contd. after lecture 4)
Prof. Shamik Sengupta
Office 4210N
[email protected]
http://jjcweb.jjay.cuny.edu/ssengupta/
Fall 2010
2
What we will cover today
Forensic analysis of Windows systems
– Learning where to look
– Understanding compound file types
– Viewing the structure
– Recover and Analyze
Hands-on Practice
3
The Recycle Bin
Understanding how the recycle bin works is critically important
for forensic examiners
– Stores many significant info which is usually overlooked at the time
of examination
The recycle bin is a system folder of Windows
– Operates in accordance with different rules than those govern
standard folders
– The folder is named as
– “Recycled” in Windows 95/98
– “Recycler” in Windows NT/2000/XP
E.g., open a dos window and go to c drive
– Type cd recycler
– It will open up the recycle bin folder
4
The Recycle Bin (Continued)
E.g. recycler folder in XP
5
The Recycle Bin (Continued)
When a file is deleted, it is moved to the Recycle Bin
– On windows NT/2000/XP, the first time a user puts a file in the
recycle bin, a subfolder is created in c:\recycler
– The subfolder is named with the user’s SID and contains its own INFO file,
making it possible to determine which user account was used to delete a file
When a file is deleted, it results in three steps:
– 1) the deletion of the file’s folder entry in the folder in which the file
resided
– 2) the creation of a new folder entry for the file in the Recycle Bin
– 3) the addition of information about the file in a hidden system file
named INFO (or INFO2 depending on windows systems) in the
Recycle Bin
6
The Recycle Bin (Continued)
E.g. recycler folder in XP
7
The Recycle Bin (Continued)
So, although Windows does not store the deletion date
and time of a file in its folder entry
– Windows records the date and time of deletion in the INFO
file when a user sends a file to the Recycle Bin
Other information stored in the recycle bin include:
– The file’s location prior to being sent to the Recycle Bin
– It’s index number in the Recycle Bin
– It’s order in the Recycle Bin
– 0 assigned to the first file in the Recycle Bin after the Recycle Bin is
emptied
– Its new filename in the Recycle Bin
– Every file sent to the recycle bin is renamed in the following format
– D[orginal drive letter of file][index no][original extension]
– E.g. hw1.txt residing in C:\My Documents was sent to empty recycle bin
– Its new name is DC0.txt
8
The Recycle Bin (Continued)
An INFO file is often effective in confirming or refuting
computer user’s explanations regarding the presence or
history of computer files recovered from their drives
– It contains metadata relating to a particular file such as the
date of deletion and the original path
– INFO file records tell stories about file histories and the
user’s state of mind
– Files deleted by the OS do not leave a record in the INFO file
– INFO file record indicates that a user knowingly deleted the file
If a user claims a file was downloaded without his notice
during internet activity, the file’s location when it was
deleted may tend to support or refute that contention
– If a user deleted a particular file residing
– A) in a default download folder or in the Temporary Internet Files
folder
– B) My Document\My Favorite Things\My Pictures…
9
The Recycle Bin (Continued)
When the user elects to empty the Recycle Bin,
– Windows deletes the file (such as DC0.txt) in the Recycle Bin
and also deletes the INFO file
– More sophisticated techniques are then needed to recover the files
10
The Recycle Bin in Windows Vista / 7
The contents of the recycle bin has changed in Windows Vista/7
The name of the folder itself has changed to “$Recycle.bin”
– Open dos command prompt and go to c drive
– Type cd $Recycle.bin
The INFO2 file that is present in Windows 2000/XP/2003 has been
removed
In Windows Vista, two files are created when a file is deleted into
the recycle bin
– Both file have the same random looking name, but the names are preceded
with a “$R” or “$I”
– The file with the “$R” at the beginning of the name is actually the data of the deleted file
– The file with the “$I” at the beginning of the name contains the path of where the file
originally resided, as well as the date and time it was deleted
11
Case study: Viewing Recycle Bin using EnCase
How do you view recycle bin using EnCase?
– (you do not have to acquire the disk)
– Locate recycle bin using EnCase
– Locate the systems ids
– Locate the deleted files
12
Shortcut Files
The shortcut files refer to shortcut links for quick viewing
– Users open a file or folder or start an application program by
double clicking on the appropriate shortcut icon
Where are the shortcut files stored
– Folder location of shortcut files
– Windows\Desktop
– Windows\Recent
– Windows\Start Menu
– Windows\Send to
The existence of shortcut files can serve to support the
contention that a user had knowledge that a particular file or
application was present on the computer
– Although actual files might have been deleted
13
Shortcut Files (Continued)
The Window\Recent menu folder contains shortcut files that point
to data files that were opened on the computer
– By default 12/15 shortcuts are maintained
– REALLY??
The Window\Start menu folder contains shortcut files that point to
files and programs that appear on the Start Menu
– The shortcut files can provide evidence that an application program,
which is no longer present on the computer, was installed at one time
– The date and time stamps on the shortcut files can help to identify the
date that the installation occurred
Viewing “desktop” and “recent” folder
14
15
Case Example: Shortcut Files
A special agent of the Illinois Attorney General’s Office investigated a
case involving a CP.
The agent located a shortcut file in the Windows\Desktop folder whose
target was a screensaver program.
Upon examining the screensaver program, the agent found that it
caused 30 images depicting CP to be displayed on the computer’s
monitor when the shortcut was activated.
This example is applicable to the investigation of many forms of
computer crime
16
Case study: Viewing Shortcut files using EnCase
How do you view shortcut files using EnCase?
– (you do not have to acquire the disk)
– Locate shortcut files
– Analyze
– The shortcut files also contain the fully qualified paths of
the files that they refer to
– (one of the greatest features for investigation)
– Also known as Symbolic link in EnCase
– Try locating this using EnCase Report
17
THUMBS.DB
What is Thumbs.db?
– Windows allow the user to set the properties of any folder to allow the
viewing of any graphics files in that folder as thumbnails
– System files “thumbs.DB” are created with info of these thumbnails
– These system files also speed up the processing of graphics hence the
reason they were created in the Microsoft operating systems
“thumbs.DB” contains info of each graphics file in the folder
– slightly altered headers
– A listing of files in the folder and their modification dates are also
contained in thumbs.DB file
– Compound file
The artifacts can be significant since it is not perfectly synchronized
with the actual contents of the folder
– The user may delete files from the folder
– But thumbs.db can restore the files!!!
18
Case Example: THUMBS.DB
Thumbs.DB file may show that files existed on the volume
and it may further show the modification dates of those
files even though the files did not exist at the time of the
examination
In a recent federal criminal investigation, the examiner located a folder
containing more than 400 evidentiary images.
When the examiner questioned the nature of the thumbs.db file,
further analysis showed its function and contents.
The file was found to contain more than 900 images, many
representing files of evidentiary value that had been deleted from the
folder.
19
THUMBS.DB (contd.)
Windows stores the following formats as thumbnails:
– JPEG, BMP, GIF, TIF, PDF and HTM
Each thumbnail created in a folder is represented in this thumbs.db
database
Each folder with initiated thumbnail views will have thumbs.db file
20
THUMBS.DB (contd.)
The early versions of thumbs.db files (in Windows ME and
Windows 2000) contained
– the filename
– the drive letter, and
– path to that image
Later versions, (in Windows XP and onward), store
– its filename
– But NOT the drive letter and path
21
THUMBS.DB in Vista and onward
The thumbnail cache that is used in Windows XP/2003, named
THUMBS.DB has been replaced with a centralized thumbs
database
Centralized thumbnail database is located in the following folder:
– \Users\[User Account Name]\AppData\Local\Microsoft\Windows\Explorer
– Inside there are a few files with prefix thumbcache: thumbcache_xxxx.db
– You can no longer delete thumbs.db
dmThumbs (a tool for analyzing thumbs.db)
– http://www.dmthumbs.com/
22
Thumbs.db (case study)
Let’s do a simple hands-on practice.
– We will view some pictures, will delete it afterwards and
then see if we can investigate and restore it using EnCase.
23
Other compound files
EnCase Forensic can view the structure of the
following types of compound files:
–
–
–
–
–
–
–
–
–
Thumbs.db files
Zip files like .zip, .gzip, and .tar files
Outlook Express (DBX)
Outlook (PST)
Exchange 2000/2003 (EDB)
Lotus Notes (NSF) for versions 4, 5, and 6
Mac DMG Format
Mac PAX Format
Korean Office Doc
24
INDEX.DAT
Internet Explorer caches website that a user visits
– When a user visit a site, IE first checks to see if the file is already cached
– If a cached file is found, IE uses cached file rather than downloading it
– IE stores cached files in the Temporary Internet Files folder
– It also assigns each cached file an alphanumeric file name and maps the new file
names to the actual filenames in system files
Internet Explorer uses file
– Earlier version: MM256.DAT (to store the reference of web pages whose
address were less than 257 characters) and MM2048.DAT (for pages
whose address were between 257 and 2048 characters)
– Newer version: index.dat
– Describe each file: URL, dates of modification by server and access by the user
25
Case Example: index.dat
In another recent case, detectives investigated a woman’s complaint
that she was the victim of stalking by a former boyfriend.
The woman claimed that the former boyfriend was sending threatening
e-mail to her current boyfriend.
During investigation, she made another report alleging that she had
been the victim of a home invasion during which she was assaulted,
and she again identified the suspect as the same ex-boyfriend.
When the detectives examined the woman’s computer, they found that
the temporary Internet cache files contained references to an America
Online account.
Further examination of the Internet cache files and the records of
America Online showed that the woman had set up an account with a
screen name similar to that of the former boyfriend, and had sent the
‘threatening’ e-mail message herself.
26
Lab Practice
Download abc.zip from class website.
– You are given this evidence file. We do not have any idea
what does this contain. Can you figure out using EnCase?