CNS 450 COMPUTER FORENSICS & INCIDENT RESPONSE

Week 9 Lab

Copyright 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Hands-on Extraction & Analysis (2)

1. 2.

Volume Shadow Copy Analysis

Vshadowmount (Linux)
Galetta (cookies) Pasco (cache) Id32 (generic index.dat parser) Mandiant Web Historian (Windows only)

Internet Explorer Artifacts

For convenience, escalate to a root shell

sudo bash

Yet Another New Image

Enabled VSCs on my Windows SIFT Kit, then:

Created desktop folder Restore_Point_Test manually created a shadow copy Copied a file into the folder manually created a 2nd shadow copy Removed file and added another of similar size manually created a 3rd shadow copy Removed 2nd file Logically imaged C: with FTK Imager

Win7_VSC_Restore_Point_Test.E01

Volume Shadow Copy Analysis

ewfmount Win7_VSC_Restore_Point_Test.E01 /mnt/ewf vshadowmount o 0 /mnt/ewf/ewf1 /mnt/vss mount -o loop,ro /mnt/vss/vss1 /mnt/shadow_mount/vss1 mount -o loop,ro /mnt/vss/vss2 /mnt/shadow_mount/vss2 mount -o loop,ro /mnt/vss/vss3 /mnt/shadow_mount/vss3

Examine the folders under the three mounted restore points for the files I created in C:\Users\SANSForensics408\Desktop\Restore_Point_Test

Mount the dblake Image in the Linux SIFT Kit as before

xp_dblake.dd mounted

(8) Internet Explorer

Run galetta against all of the Donald Blake users cookie files

Run galetta against all of the Donald Blake users cookie files

Galetta

Examine the output

Look at the __utma Google Analytics cookies for various websites, & decode the dates using dcode.exe on the Windows SIFT Kit From this, what were three different dates when the subject visited winzip.com? Run 1183244089, 1231967273, & 1231967349 through dcode to get the associated UNIX Text timestamp values

__utma (Timestamps in UNIX Epoch Time)

Contents similar to XXXX.RRRR.FFFF.PPPP.CCCC.N

XXXX Hash of clients domain RRRR Random unique ID for client FFFF Date of first visit to site (probably following the last clear of cookies) PPPP Timestamp of previous (last) visit CCCC Current timestamp N Number of sessions since first visit (Incremented each time new session started after first)

Run pasco against the dblake Internet Explorer Cache index.dat file

Examine Pasco Output

Open OpenOffice Insert -> Sheet from file Check the tab delimited box After importing, reformat column widths and select wrap on Sort all below header by column D (ACCESS TIME)

Run id32 against all dblake index.dat files

Id is in the Linux SIFT Kit according to the docs, but I cant find it Download from http://tzworks.net/download_links. php Both Linux & Windows versions are available

Run id32 against all dblake index.dat files

Examine id32 Output

Open OpenOffice Insert -> Sheet from file Check the comma delimited box After importing, reformat column widths and select wrap on Sort all below header by columns C (access date) and D (acess time)

Questions?

17