Lecture 6 Forensic Analysis of Windows Systems (contd. after lecture 4)

1

Lecture 6Lecture 6

Forensic Analysis of Windows SystemsForensic Analysis of Windows Systems(contd. after lecture 4)(contd. after lecture 4)

Prof. Shamik Sengupta

Office 4210N

[email protected]

http://jjcweb.jjay.cuny.edu/ssengupta/

Fall 2010

What we will cover today

Forensic analysis of Windows systems– Learning where to look

– Understanding compound file types– Viewing the structure

– Recover and Analyze

Hands-on Practice

2

3

The Recycle Bin

Understanding how the recycle bin works is critically important for forensic examiners– Stores many significant info which is usually overlooked at the time

of examination

The recycle bin is a system folder of Windows– Operates in accordance with different rules than those govern

standard folders

– The folder is named as – “Recycled” in Windows 95/98

– “Recycler” in Windows NT/2000/XP

E.g., open a dos window and go to c drive– Type cd recycler

– It will open up the recycle bin folder

4

The Recycle Bin (Continued)

E.g. recycler folder in XP

5


When a file is deleted, it is moved to the Recycle Bin– On windows NT/2000/XP, the first time a user puts a file in the

recycle bin, a subfolder is created in c:\recycler– The subfolder is named with the user’s SID and contains its own INFO file,

making it possible to determine which user account was used to delete a file

When a file is deleted, it results in three steps:– 1) the deletion of the file’s folder entry in the folder in which the file

resided

– 2) the creation of a new folder entry for the file in the Recycle Bin

– 3) the addition of information about the file in a hidden system file named INFO (or INFO2 depending on windows systems) in the Recycle Bin

6


E.g. recycler folder in XP

7


So, although Windows does not store the deletion date and time of a file in its folder entry– Windows records the date and time of deletion in the INFO

file when a user sends a file to the Recycle Bin

Other information stored in the recycle bin include:– The file’s location prior to being sent to the Recycle Bin

– It’s index number in the Recycle Bin– It’s order in the Recycle Bin

– 0 assigned to the first file in the Recycle Bin after the Recycle Bin is emptied

– Its new filename in the Recycle Bin– Every file sent to the recycle bin is renamed in the following format

– D[orginal drive letter of file][index no][original extension]

– E.g. hw1.txt residing in C:\My Documents was sent to empty recycle bin

– Its new name is DC0.txt

8


An INFO file is often effective in confirming or refuting computer user’s explanations regarding the presence or history of computer files recovered from their drives– It contains metadata relating to a particular file such as the

date of deletion and the original path

– INFO file records tell stories about file histories and the user’s state of mind

– Files deleted by the OS do not leave a record in the INFO file

– INFO file record indicates that a user knowingly deleted the file

If a user claims a file was downloaded without his notice during internet activity, the file’s location when it was deleted may tend to support or refute that contention– If a user deleted a particular file residing

– A) in a default download folder or in the Temporary Internet Files folder

– B) My Document\My Favorite Things\My Pictures…

9


When the user elects to empty the Recycle Bin,– Windows deletes the file (such as DC0.txt) in the Recycle Bin

and also deletes the INFO file– More sophisticated techniques are then needed to recover the files

10

The Recycle Bin in Windows Vista / 7

The contents of the recycle bin has changed in Windows Vista/7

The name of the folder itself has changed to “$Recycle.bin”– Open dos command prompt and go to c drive

– Type cd $Recycle.bin

The INFO2 file that is present in Windows 2000/XP/2003 has been removed

In Windows Vista, two files are created when a file is deleted into the recycle bin

– Both file have the same random looking name, but the names are preceded with a “$R” or “$I”

– The file with the “$R” at the beginning of the name is actually the data of the deleted file

– The file with the “$I” at the beginning of the name contains the path of where the file originally resided, as well as the date and time it was deleted

11

Case study: Viewing Recycle Bin using EnCase

How do you view recycle bin using EnCase?– (you do not have to acquire the disk)

– Locate recycle bin using EnCase

– Locate the systems ids

– Locate the deleted files

12

Shortcut Files

The shortcut files refer to shortcut links for quick viewing– Users open a file or folder or start an application program by

double clicking on the appropriate shortcut icon

Where are the shortcut files stored– Folder location of shortcut files

– Windows\Desktop

– Windows\Recent

– Windows\Start Menu

– Windows\Send to

The existence of shortcut files can serve to support the contention that a user had knowledge that a particular file or application was present on the computer– Although actual files might have been deleted

13

Shortcut Files (Continued)

The Window\Recent menu folder contains shortcut files that point to data files that were opened on the computer– By default 12/15 shortcuts are maintained

– REALLY??

The Window\Start menu folder contains shortcut files that point to files and programs that appear on the Start Menu

– The shortcut files can provide evidence that an application program, which is no longer present on the computer, was installed at one time

– The date and time stamps on the shortcut files can help to identify the date that the installation occurred

Viewing “desktop” and “recent” folder14

15

Case Example: Shortcut Files

A special agent of the Illinois Attorney General’s Office investigated a case involving a CP.

The agent located a shortcut file in the Windows\Desktop folder whose target was a screensaver program.

Upon examining the screensaver program, the agent found that it caused 30 images depicting CP to be displayed on the computer’s monitor when the shortcut was activated.

This example is applicable to the investigation of many forms of computer crime

A special agent of the Illinois Attorney General’s Office investigated a case involving a CP.

The agent located a shortcut file in the Windows\Desktop folder whose target was a screensaver program.

Upon examining the screensaver program, the agent found that it caused 30 images depicting CP to be displayed on the computer’s monitor when the shortcut was activated.

This example is applicable to the investigation of many forms of computer crime

16

Case study: Viewing Shortcut files using EnCase

How do you view shortcut files using EnCase?– (you do not have to acquire the disk)

– Locate shortcut files

– Analyze– The shortcut files also contain the fully qualified paths of the

files that they refer to

– (one of the greatest features for investigation)

– Also known as Symbolic link in EnCase

– Try locating this using EnCase Report

17

THUMBS.DB

What is Thumbs.db?– Windows allow the user to set the properties of any folder to allow the

viewing of any graphics files in that folder as thumbnails

– System files “thumbs.DB” are created with info of these thumbnails– These system files also speed up the processing of graphics hence the

reason they were created in the Microsoft operating systems

“thumbs.DB” contains info of each graphics file in the folder – slightly altered headers

– A listing of files in the folder and their modification dates are also contained in thumbs.DB file

– Compound file

The artifacts can be significant since it is not perfectly synchronized with the actual contents of the folder– The user may delete files from the folder

– But thumbs.db can restore the files!!!

18

Case Example: THUMBS.DB

Thumbs.DB file may show that files existed on the volume and it may further show the modification dates of those files even though the files did not exist at the time of the examination

In a recent federal criminal investigation, the examiner located a folder containing more than 400 evidentiary images.

When the examiner questioned the nature of the thumbs.db file, further analysis showed its function and contents.

The file was found to contain more than 900 images, many representing files of evidentiary value that had been deleted from the folder.

In a recent federal criminal investigation, the examiner located a folder containing more than 400 evidentiary images.

When the examiner questioned the nature of the thumbs.db file, further analysis showed its function and contents.

The file was found to contain more than 900 images, many representing files of evidentiary value that had been deleted from the folder.

THUMBS.DB (contd.)

Windows stores the following formats as thumbnails: – JPEG, BMP, GIF, TIF, PDF and HTM

Each thumbnail created in a folder is represented in this thumbs.db database

Each folder with initiated thumbnail views will have thumbs.db file

19

THUMBS.DB (contd.)

The early versions of thumbs.db files (in Windows ME and Windows 2000) contained– the filename

– the drive letter, and

– path to that image

Later versions, (in Windows XP and onward), store – its filename

– But NOT the drive letter and path

20

21

THUMBS.DB in Vista and onward

The thumbnail cache that is used in Windows XP/2003, named THUMBS.DB has been replaced with a centralized thumbs database

Centralized thumbnail database is located in the following folder:– \Users\[User Account Name]\AppData\Local\Microsoft\Windows\Explorer

– Inside there are a few files with prefix thumbcache: thumbcache_xxxx.db

– You can no longer delete thumbs.db

dmThumbs (a tool for analyzing thumbs.db)– http://www.dmthumbs.com/

Thumbs.db (case study)

Let’s do a simple hands-on practice.– We will view some pictures, will delete it afterwards and

then see if we can investigate and restore it using EnCase.

22

Other compound files

EnCase Forensic can view the structure of the following types of compound files:– Thumbs.db files

– Zip files like .zip, .gzip, and .tar files

– Outlook Express (DBX)

– Outlook (PST)

– Exchange 2000/2003 (EDB)

– Lotus Notes (NSF) for versions 4, 5, and 6

– Mac DMG Format

– Mac PAX Format

– Korean Office Doc

23

24

INDEX.DAT

Internet Explorer caches website that a user visits– When a user visit a site, IE first checks to see if the file is already cached

– If a cached file is found, IE uses cached file rather than downloading it

– IE stores cached files in the Temporary Internet Files folder– It also assigns each cached file an alphanumeric file name and maps the new file

names to the actual filenames in system files

Internet Explorer uses file – Earlier version: MM256.DAT (to store the reference of web pages whose

address were less than 257 characters) and MM2048.DAT (for pages whose address were between 257 and 2048 characters)

– Newer version: index.dat– Describe each file: URL, dates of modification by server and access by the user

25

Case Example: index.dat

In another recent case, detectives investigated a woman’s complaint that she was the victim of stalking by a former boyfriend.

The woman claimed that the former boyfriend was sending threatening e-mail to her current boyfriend.

During investigation, she made another report alleging that she had been the victim of a home invasion during which she was assaulted, and she again identified the suspect as the same ex-boyfriend.

When the detectives examined the woman’s computer, they found that the temporary Internet cache files contained references to an America Online account.

Further examination of the Internet cache files and the records of America Online showed that the woman had set up an account with a screen name similar to that of the former boyfriend, and had sent the ‘threatening’ e-mail message herself.

In another recent case, detectives investigated a woman’s complaint that she was the victim of stalking by a former boyfriend.

The woman claimed that the former boyfriend was sending threatening e-mail to her current boyfriend.

During investigation, she made another report alleging that she had been the victim of a home invasion during which she was assaulted, and she again identified the suspect as the same ex-boyfriend.

When the detectives examined the woman’s computer, they found that the temporary Internet cache files contained references to an America Online account.

Further examination of the Internet cache files and the records of America Online showed that the woman had set up an account with a screen name similar to that of the former boyfriend, and had sent the ‘threatening’ e-mail message herself.

Lab Practice

Download abc.zip from class website.– You are given this evidence file. We do not have any idea

what does this contain. Can you figure out using EnCase?

26