500.4 - Email, Key Additional Artifacts, and Event Logs Flashcards
1
Q
E-mail Forensics Overview
A
- Who, When, Where, Relevant
- Host-based, servers, Cloud, Mobile
- What can we Analyze?
- Mail Header, Message Body, Attachment
2
Q
E-mail Headers
A
- Message-ID - Unique Fingerprint
- Received - Who sent the email - Start @ bottom - In reverse order
- X-Originating-IP - Client IP Address (Public = Off)
- X-Mailer - What client program generated the email
3
Q
Email Authenticity
A
- Valid SPF & DKIM increases trust
- Sender Policy Framework (SPF) - Validate sending IP Address to Orig. Domain
- DomainKeys Identified Mail (DKIM) - Verifies that message content has not changed via Dig. Signal
4
Q
Message-ID Threading (References and In-Reply-To)
A
- Message - IDs can be used to identify related emails (thread) via Refs & In-Reply to
5
Q
Extended MAPI Headers
A
- Tracks Add’tl timestamps, unique IDs, Last Action)
- Messaging Architecture - Core component of Exchange & Outlook
6
Q
Host-Based E-mail
A
- On Local Machine, Identify email locations, deleted email archives
7
Q
Microsoft Outlook - File Ext: (.PST)
A
- Email Archive stored by default,
- Encrypted/Obfuscation by default
- Up to 5GB saved
Location
- “User”\AppData\Local\Microsoft\Outlook (2010 & earlier)
- “User”\Documents\Outlook (2013/2016)
- HKCU\Software\Microsoft\WindowsNT\CurrentVersion\WindowsMessagingSubSystem\Profiles\Outlook
8
Q
Offline Folder Files (.OST)
A
- Cached Exchange Mode (Offline mail access)
- Syncs with Server
- Locally Stored, 50 GB
Location
- C:\Documents&Settings"User”\Local Settings\Application Data\Microsoft\Outlook
9
Q
Outlook Attachment Recovery
A
- Uses a “Secure Temp Folder” to open attachments
- Located under Internet Explorer cache folders - Temporary Internet Files (-Win10) and INetCache (+IE11)
- Previewed and Opened attachs. Can be recovered
- Prior to 2007, attachments persisted until Disk Cleanup
- After 2007 attachments remain only if message/outlook is closed before the attachment
Location
- AppData\Local\Microsoft\Windows\Temporary Internet Files\ Content.Outlook
- AppData\Local\Microsoft\Windows\INetCache\Content.outlook (IE11+)
- HKCU\Software\Microsoft\Office"Version”\Outlook\Security\OutlookSecureTempFolder
10
Q
E-mail Encryption
A
- Individual message encryption is most common
- Uses public-key protocol like Secure MIME (S/MIME) or PGP/ MIME (.pgp, .p7m file extensions)
- Not decrypted en route
- Encrypted messages will show …
- – Begin PGP Message —
- – End PGP Message —
11
Q
Microsoft Exchange (.edb, ese, .stm)
A
- Is a database for Users Mailbox,
- (2007 +) in .EDB format
- Extensible Storage Engine (ESE) format & previously .EDB & .STM files composed database
- .EDB stores mail, attachments, contacts, Journal, notes, tasks, calendar, & address book entries
- .log files contain messages not yet written to .EDB
- Can be exported in .PST file format
Location
- C:\ProgramFiles\Microsoft\ExchangeServer\Mailbob\FirstStorageGroup\MailboxDatabase.edb
12
Q
“Recoverable Items” in Exchange
A
- Deletions - Items removed from users Deleted Items Folder; Deleted mail from POP or IMAP accounts
- Purges - Temp location for hard-deleted items from Deletions folder & items that exceed retention period
- Discovery Hold - Deleted items from mailboxes placed hold
- Versions - Copy-on-write changes to items in active mailboxes placed on hold
- Audits - Audit log entries for mailboxes with auditing enabled
- Calendar Logging - Calendar changes when calendar logging is enabled
- Message Tracing - log showing message defaults of sent & received mail
- Email retained for 14 days, & mailboxes for 30days
- 2010 includes indexing & retention for ALL deleted objects
- Maintains versions of emails
- Can freeze logs to prevent deletion
- Unread emails still in “transit”
13
Q
Online Acquisition Windows Server Backup
A
- Used with Win 2008 + / Exchange 2007 +
- Uses Volume shadow copies
- ensures database consistency
- can not backup and restore individual mailboxes
- Exchange databases must be stored together
- Backups stored as VHD files
14
Q
Unified Audit Logs in O365
A
- Search & Export logs
- Exchange Online, Sharepoint Online, OneDrive for Buisness, Azure AD
- Not enabled by default
- has to be turned on for EACH user - 90 day retention
- No default logging for owners, viewed messages only for Admin users, No logg off events, IP & client included
15
Q
Webmail Forensics
A
- Emails normally stored on ISP servers
- Possible exception for POP or IMAP
- User IP address & subscriber info may be available for ISP
- Look for webmail addresses
- Cached copies can be recovered
- Can perform keyword searching & carving of webmail fragments
- Protected storage & auto complete functions
16
Q
Compressed Webmail Remnants
A
- Webmail is often compressed
- Cache may not be in HTML format
- File signature analysis might be required to identify compressed zip files
17
Q
Mobile E-mail
A
- Mobile devices receive email from a webmail or corporate server
- Mail often stored in both locations
- Consider Mobile Device Management (MDM)
- Phone, SMS/MMS, BBM, & PIN metadata logs
- MDM, like BlackBerry UEM & Global Relay, may archive content (Android/Blackberry only)
- Look for local backup copies
- .PST, Blackberry .BBB/.IPD, and Android .ab files
- iOS “Apple Computer” folder or search for manifest.plist
18
Q
Windows Search Database (.edb)
A
- Collects - Files, emails, Content related items
Location
- C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windos.edb (Win7+) - C:\Document&Settings\AllUsers\AppsData\Microsoft\SearcData\Apps\Windows\Windows.edb (XP)
19
Q
ESE NT Utlities - Windows.edb
A
- esentutl tool is uses for defragmentation, recovery, interegty checking, data dumping, and repair for ESE databases
20
Q
Thumbnail Forensics - thumbs.db (2)
A
- Hidden file in directory where images on machine exits stored in smaller thumbnail graphics
- thumbs.db catalogs pictures in a folder & stores a copy of the thumbnail even if the pictures were deleted
- WinXP - Automatically created anywhere
- Win7/8/10 - Automatically created anywhere accesses via a UNC path (local to remote)
- GoPro - Displays on camera screen
- Includes thumbnail of pic/doc, Last Mod (XP), Original filename (XP)
Location
- C:\Users"user”\Documents (Win7)
-
21
Q
Win7/Win8/Win10 Thumbcache
A
- Thumnails only (S-32,M-96,L-256, XL - 1024),
- Location MIGHT be stored, Date/Time not stored
Location
- C:\Users"user”\AppData\Local\Microsoft\Windows\Explorer
22
Q
Mapping Filenames to Thumbcache
A
- Windows.edb & Thumbcache
- CANNOT be dirty, must be recovered
23
Q
Recycle Bin Forensics
A
- Hidden Systems Folder
- Subfolder is created with users SID
- Contains recovery files
- “Recycler” 2000/NT/XP/2003 - before Vista
- Hidden file in a directory called “INFO2”
- INFO2 contains deleted time & original filename
- INFO2 maps the recycle bin filename to the time & date that the file was deleted as well as the true filename of the file (Full path name, time, & date)
- Filename in both ASCII & UNICODE
- “$Recycle.bin” Vista+
- Deleted time & original filename contained in separate files for each deleted recovery file
24
Q
Win7/Win8/Win10 Recycle Bin
A
- Under $Recycle.bin & SID
- Files Proceded by $I###### & contain Orig. path & name, and recycled/deleted data & time
- Files Proceded by $R###### contains the actual file recovery data or original file that has been moved into the recycle bin
25
Q
Parsing Recycle Bin (recbin.exe)
A
- parse contents of $INFO2 or $I files
26
Q
Windows 10 Timeline (4)
A
- Visible
- Edge (Browsing History)
- Office 2016 suite (files accessed)
- Windows Photo viewer (photos viewed)
- Other Windows Apps & more promised
Not Visible
- App exe
- Focus count per application
Location
- C:\Users\AppData\Local\ConnectedDevicesPlatform\L.\ActivitiesCache.db
- WxtCmd.exe
27
Q
Windows Prefetch Superfetch (5)
A
- WinXP+ = C:\Windows\Prefetch
- Increases performanceof system by pre-loading code pages
- Cache manager monitors all files & direct. & maps them into a .pf file
- Shows app exe (what & when)
- XP -7 limited to 128 files , 1024 limit for Win8+
- Disabled on systems with SSD, enabled by default otherwise
- Win10 - Prefetch files are compressed
- layout.ini files contains original path names of files located in prefetch
28
Q
Prefetch Analysis
A
- Date/Time .exe was first exe
- Creation date of .pf file - 10 secs
- Date/Time of last .exe
- Exact time stored in .pf file as well as the exact time
- Win8+ - last 8 times
- Last mod date of .pf file - 10 secs
29
Q
What can SRUM tell us?
A
- Processes Ran - AppID & path, user executing path, app energy usage, bytes sent, bytes received
- Network activity - network interface, network name, byes sent/recieved, connections time/duration
- App Push Notifcation - AppID, User, payload size
- Energy Usage - Charge capacity, charge level, time
30
Q
SRUM Database & Registry Locations
A
- 30 to 60 days of historical system performance
- Networks connected to, duration of connection, and bandwidth usage per hour
- Apps run , user account responsible for each, and application & bytes sent/received per application per hour
- App push notifications & payload size of each notification
- Energy usage including battery charge & CPU cycles
Location
- SOFTWARE\Microsoft\WindwosNT\CurrentVersion\SRUM\Extensions
- C:\Windows\System32\SRU
31
Q
SRUM Registry Keys
A
- Under SRUM Registry Keys there are 3 subkeys
- Parameters
- Telemetry
- Extensions
- Temporary data is written to 5 subkeys in Windows 8.1 & 6 key in Windows 10 that correspond to the tables in the SCRUM database
32
Q
Windows Events
A
- Records:
- Software
- Hardware
- OS functions
- Security
- Multiple events = event log
33
Q
Event Log Analysis
A
- What - Event ID, Event Cat. , Description
- Date/Time - Timestamp
- Users Involved - User account, Description
- Systems involved - Hostname, IP Address
- Resources accessed - Files, folders, printers, services
34
Q
Where to find Event Logs
A
- NT/Win2000/XP/Server2003
- .evt file type)
- %Systemroot%\System32\Config
- Filenames - SecEvent.evt, AppEvent.evt, SysEvent.evt
- Win Vista, 7-10 & Server 2008, 2012, 2016
- .evtx file type
- Remote log server
- Filenames - SecEvent.evtx, Application.evtx, SysEvent.evtx - %Systemroot%\System32\winevt\logs
35
Q
.evtx Log Format
A
- Memory efficiencies - Cost affective,
- XML & Filtering
- improved Messaging
- IP Address
- EventIDs changed
- Expanded # event logs
- increased granularity of audit controls
36
Q
Types of Event Logs
A
- Security - Records access control & security settings, events based on audit/ group policy (failed logon/folder acc)
- System - Events realted to windows services, systems components, drivers, resources (service stopped/system rebooted)
- Application - Software events unrelated to OS (SQL server fails to access a database)
- Custom - Custom App logs (Server logs w/ directory service, DNS server, & file replication service)
37
Q
Applications and Services Logs
A
- Stored with standard events
- %Systemroot%\System32\winevt\logs
- Setup - Records installation & update info for Wins
- Fwd Events - Repository for events retroeved from systems
- Apps & Serv - Over 60 logs, (Tsk scheduler, RDP, Win Firewall, Win defender)
38
Q
Security Log
A
- Most commonly reviewed log in forensics
- User auth/logon,
- behavior & actions,
- File/folder/share access,
- Security settings
- Failure and success can be audited
- Detailed logging can be enabled on specific user accounts
- Only LSASS updates
39
Q
What is Recorded? Security Event Categories
A
- Account Logon
- Account Mgt
- Directory Service
- Logon events
- Object access
- Policy change
- Privilege user
- Process tracking
- System events
40
Q
Event Types
A
- Error
- Warning
- Information
- Success Audit
- Failure Audit
41
Q
Identifying Logon Sessions
A
- Use Logon ID to link logon w/ a log off and determine session length
- Session time = (25m)
