Book Two- Chapter Four-Forensics I

Question 1

What kinds of volatile information can an investigator get from a system?

Answer 1

• Volatile information is information that is lost the moment a system is powered down or loses power.
• Usually exists in physical memory (RAM), and consists of information about processes, network connections, open files, clipboard contents. It describes the system state at a particular point in time.
• One of the first things that an investigator collects is the contents of RAM. Investigators minimize the impact of their data collection on the contents of RAM.
• Specific types of volatile information that investigators should collect:
• System time
• Logged-on-user(s)
• Open files
• Network information
• Network connections
• Process Information
• Process-to-port mapping
• Process Memory
• Network Status
• Clipboard contents
• Service/driver information
• Command history
• Mapped drives
• Shares

*System time- time/t
Gives context to the info collected later in the investigation and enables an investigator to establish an accurate timeline of events that have occurred on the system.

• Uptime- the amt of time that the system has been running is important
• Logged-On Users:

PsLoggedOn: best-known tool for determining logged-on-users. Shows the investigator the names of the users logged on locally as well as those users logged on remotely.

Net Session: shows not only the names of the users accessing the system via a remote login session but also the IP address and the types of clients from which they are accessing the system.

LogonSessions: Lists all the actibe logon sessions on a system. Provides more information than the other tools: lists the authentication package used, type of logon, active processes.

*Open Files: If there are users logged into a system remotely, investigators should also see what file they have open, if any. A user in a corporate environment could have a share available to allow other users to view images or download songs. Poorly protected Windows systems that are connected to the Internet with no administrator password and no firewall are vulnerable to remote users.

Net File: Displays the names of all open shared files on a system and the number of file locks, and closes individual shared files and removes file locks.

PsFile: shows a list of files on a a system that are open remotely. It also allows a user to close open files either by name or by file identifier.

Openfiles: Used to list or disconnect all files and folders that are open on a system

*NetBIOS Name Table Cache: nbtstat-c

When intruders gain access to a system, they want to know that other systems are available on the network and can be seen (in the network-centric sense) by the system they have compromised. Intruders can find this information in a variety of ways;sometimes they execute batch files on the system, and other times they launch net view commands via SQL injection- by using a browser to send commands to the system through the Web and database servers. When connections are made to other systems using NetBIOS communications, the systems will maintain a list of other systems they have connected to. By viewing the contents of the name table cache, an investigator might be able to determine other systems that have been affected.

Cache- a set of duplicate data that are stored ina temporary location so that a computer system can rapidly access the data. In this case, it is a set of systems that a computer has connected to.
The user can type: nbtstat-c
to view the cached NetBIOS names on the operating system.

*Network Connections: ASAP after an incident is reported, the investigator should collect info regarding network connection to and from the affected system. This info can expire over time, and if too much time passes, that information will be lost. An investigator might approach a system and , after an initial look, determine that the attacker is still logged in to the system. Or the investigator could find that a worm or an IRC bot is communicating from the system, searching for other systems to infect, updating itself, or logging to a command-and-control server. This info can provide important clues and add context to other info that the investigator has collected.

Netstat- allows a user to collect info regarding network connections on a Windows system. Provides a simple view to TCP and UDP connections and their state, network traffic statistics, Netstat is a native tool, meaning that it is provided as part of the OS distribution. The most common way to run netstat is with the -ano switches, which tell the program to display the TCP and UDP network connections, the listening ports, and the identifiers of the processes (PIDs) using those network connections. Running netstat with the -r switch displays the routing table.

*Process Information: Investigator needs to discover what processes are running on a potentially compromised system. A process is a section or instance of an application or program that is being run sequentially. When viewing the running proccesses in the Task Manager, the investigator can see some information about each process. However, there is much more info that is not visible in Task Manager that the investigator needs to collect.

Types of info an investigator needs to know about running processes:

• The full path to the executable image (.exe file)
• The command line used to launch the process, if any
• The amt of time that the process has been running
• The security/user context that the process is running in
• Which modules the process has loaded
• The memory contents of the process

Tool: Tlist (Included as part of the MS Debugging Tools) displays information about running processes.  
Ex: the -s switch displays the session identifier, process identifier (PID), process name, asociated services, and command line used to launch the process.  Allows an investigator to search for all processes that have a specific module loaded, using the -m switch.  Ex: wsock32.dll provides networking functionality and is described as the Windows Socket 32-Bit DLL.  To list all the processes that have this module loaded, an investigator would type the following command:

tlist -m wsock32.dll

Tool: Tasklist, a native utility included with Windows XP Prof, Windows 2003 installations, an newer Windows OS, is a replacement for tlist. The differences in the two are subtle- just the name and the implementation of the switches. The tasklist command does provide options for ouput formatting, with choices between table, CSV, and list formats. The /v (or verbose) switch provides the most information about the listed processes, including the image name (but not the full path), PID, name and number of the session for the process, the status of the process, the user name of the contexxt in which the process runs, and the title of the window, if the process has a GUI. An investigator can also use the /svc switch to list the service info for each process.

tasklist /v provides the most info***(but not the full path)
tasklist /svc lists the service into for each process

Tool: PSList displays basic information about running processes on a system including the amt of time each process has been running (in both kernel and uer modes) The -x switch displays details about the threads and memory used by each process. The -t switch displays a task tree in much the same manner as tlist. PsList can also show detailed info about threads or memory used by a process. Does not show: the path to the image, the command line used to launch the process, or the user context in which the process runs.

pslist - x details about the threads and memory used by each process
pslist -t task tree (same details as tlist)***does not show full path

Tool: ListDLL
Shows the modules of DLL's a process is using.  List DLL shows the full path to the image of the loaded module as well as whether the version of the DLL loaded in memory is different from that of the on-disk image.  This info can be important to an investigator because each program loads or imports certain DLLs.  Thse DLLs provide the actual code that is used so application imports certain DLLs.  Thse DLLS provide the actual code that is used so application developers do not have to rewrite common functions each time they write a new application.  Each DLL makes certain functions available, listing them in their export table, and programs access these functions by listing the DLL and the functions in their import tables.

Spyware, Trojans, and even rootkits use a technique called DLL injection to load themselves into the memory space of a running process. They do not show up in a process listing because they are actually part of another process. This is different from a child process, because the executing malware does not have it’s own PID.

Tool: Handle
Shows the various handles that processes have open on a system. This applies not only to open file handles (for files and directories) but also to ports, registry, keys, and threads. This information can be useful for determining which resources a process is accessing while it is running

*Process-to-Port Mapping: When there is a network connection open on a system, some process must be responsible for and must be using that connection. Every network connection and open port is associated with a process.
Port- a logical connection that allows data to be sent from one application to another directly. Several tools are available to an investigator to retrieve this process-to-port mapping. The investigator can use the following tools and commands to retrive the process-to-port mapping:

Netstat command; On Windows, the netstat command with the -o switch displays the process ID for the process responsible for for each network connection,. Once info is collected, an investigator will need to correlate it with the output of a tool such as tlist or tasklist to determine the name (and additional information) of the process using the connection. As of SP, Windows XP’s version of netstat has an additional -b option that will display the executable involved in creating each connection or listening port. This switch is also included in netstat in Windows server 2003 SPI and above, and can provide more information about the process using a particular port. In some cases, the output will also show some the modules (DLLs) used by the process.

Fport tool: Fport has long been one of the tools of choice for obtaining the process-to-port mapping from a Windows system. The output of the tool is easy to understand; however, the tool needs to be executed using an account with administrative privileges. This can be an issue if investigators are responding to a situation in which the logged-in account is a regular user account.

OpenPorts tool: This tool allows for multiple output formats (including netstat-style, fport-style, and CSV-In computing, a comma-separated values (CSV) file stores tabular data (numbers and text) in plain text.) and does not require that an account with administrative privileges be used.
When run with the -fport switch, OpenPorts provides an fport-style output and displays the PID, the name of the process, the number of the port, the protocol (TCP or UDP), and the path to the executable image for each process. Using the -netstat switch, OpenPorts displays its output similar to that of netstat, so only the PIDs are displayed and not the path to the executable image.

*Network status
Getting information about the status of the network interface cards (NICs) connected to a system can be important to an investigator. Today many laptops come with built-in wireless NICs, so it may not be clear by looking at the desktop whether or not the system is connected to a wireless access point and, if so, what IP address it is using. Knowing the status of the NIC’s prior to the acquisition of a system can provide insight into a follow-on investigation.

Network status detection:
Ipconfig command
PromiseDetect tool
Promqry tool

Tool:Ipconfig
Utility native to Windows systems that the investigator can use to display info about the NICs an their status. The most useful switch for investigators is /all, which is used to display the network configuration of all the NICs on the system. This information includes the state of the NIC, whether DHCP is enabled or not, the IP address of the NIC, and more. This information might be useful during an investigation, because there may be need of network traffic logs and the IP address of the system could have been modified at some point. Also, many Web-based e-mail services record the IP address of the system from which an e-mail was drafted (this information is retrieved by the browser) in the headers of the e-mail.

Tool: PromiscDetect
Sometimes compromised sytems will have a network “sniffer” installed to capture network traffic, such as login credentials to other systems, or to develop a picture of what other systems are on the network and what services they are running. Some malware payloads include this capability, or it can be follow-on download installed by an attacker. For the NIC to capture network traffic in this manner, it has to be placed in “promiscuous” mode. this is not something an administrator or investigator will see, because there is nothing obvious to indicate that the NIC is in promiscuous mode.
promiscuous mode- refers to the state of an NIC where it will register all network traffic, rather than only the traffic arriving with the card’s own MAC address as the destination. There is no System Tray icon or Control Panel setting that clearly indicates to the investigator that the system is being used to “sniff” traffic

There are tools available that can detect if the NIC is in promiscuous mode. One such tools is PromiscDetecct; another is Promqry. the primary differance between the two tools is that Promqry can be run against remote systems, allowing an administrator to scan systems within the domain for systems that might be sniffing the network.

Tool: Promqry
Used for detecting when Windows computers on your network have network interfaces operating in promiscuous mode (sniffing network traffic). It has both a command line interface and a GUI. An investigator or administrator can run the command line version and dump it’s ouput to a text file. promqry cannot detect standalone sniffers or sniffers running on non-Windows OS.

*Clipboard Contents
The clipboard is simply an area of memory where data can be stored for later use. Most Windows applicaations provide this functionality through the EDIR option on the menu bar. Clicking EDIT reveals a drop-down menu with choices like CUT, COPY, and PASTE. The clipboard is often used to facilitate moving data is some fashion-between documents or between application windows on the desktop. The user selects text or other data, chooses COPY, and then chooses PASTE to insert that data somewhere else. The CUT function moves the data from the document the user is working on, and the data go into the clipboard. What people don’t always realize is that something that they copy to the clipoard on a Monday will still be there on Thursday, if they don’t replace the clipboard contents
with something else and if they don’t log out.

Pclip is a command-line utility that an investigator can use to retrieve the contents of the clipboard.

Service/Driver Information:
Services and drivers are started automatically when the system starts, based on entries in the registry. A driver is a small program that allows a computer system to communciate with a hardware device attached to the system. A service is a non-interactive program that helps the OS and appliations perform their tasks. Most users do not even see these services running as processes on the system. Not all services are necessarily installed by the user or even the system administrator. Some malware installs itself as a service or even as a system driver.

Command History
Can provide valuable information to an investigator. To see these previously types commands in a command shell, an investigator can scroll up in the window, but that only go so far. If the attacker types the cls command to clear the screen, the investigator would not be able to use the scroll bar to see any of the commands that had been entered. Instead, the investigator can use the doskey /history command, which will show the complete history of the commands typed into that prompt.

cls clears the screen
doskey/history shows the complete history of the commands typed into the prompt

Mapped Drives:
during an investigation, the investigator might want to know what drives or shares the system under invetigation has mapped to. These mappings could have been created by the user, and they might be an indication of malicious intent. There might be no persistent information within the file system or registry for these connections to be mapped shared on other systems, though the volatile information regarding drive mappings can be correlated to the network connection info that the investigator has already retrieved.

Shares
Besides resources used by the system, and investigator also needs to acquire information regarding those resourcces that the system is making available. Info about shares available on a system is maintained in the HKEY_LOCAL_MACHINES\System\CurrentControlSet\Services\lanmanserver\Shares key, but it can also be retrived from a live system using a command such as share.

Question 2

What kinds of non-volatile information can an investigator get from a system?

Answer 2

Nonvolatile info is kept on secondary storage devices and persists after a system is powered down. It is non-perishable and can be collected after the volatile information is collected:

• Hidden files
• Slack space
• Swap files
• Index.dat files
• Metadata
• Hidden ADS (alternate data streams)
• Windows Search index
• Unallocated clusters
• Unused partitions
• Hidden partitions
• Registry settings
• Connected devices
• Event logs

dir / o:d in the C:/%systemroot%/system32 directory at a command prompt. This command enables the investigator to examine:

• The time and date of the installation of the OS
• The service packs, patches, and subdirectories that automatically update themselves often
• When examining the files, the investigator should focus on recently dated files.

*Registry Settings
Several registry values and settings could impact the follow-on forensic analysis and investigation. There are several tools for collecting information from the registry. An investigator can use reg (a command-line tool that is part of the Windows 2000 Support Tools and a native to Windows XP and 2003) to access and manage the registry.

The following two registry values that can greatly affect an investigation:

*ClearPageFileAtShutdown: this particular registry value tells the OS to clear the page file when the system is shut down. Because Windows uses virtual memory, some memory used by processes is paged out to the page file. When the system is shut down, the information such as decrypted passwords, portions of IM conversations, and other strings and bits of information that might provide important leads in an investigation. However, if this file is cleared during shutdown, this valuable info can be more difficult to obtain.

*DisableLastAccess: Windows has the ability to disable updating of the last access times on files. This was meant as a performance enhancement, particularly on high volume file servers. On normal desktops and laptops, this setting does not provide any noticable improvement in performance. To activate this capability, a user sets the following value to 1: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\disableLastAccess.
On Windows XP and 2003 systems, this setting can be queried or enabled via the
fsutil command. Ex: to query the setting, a user cna enter :
futil behavior query disablelastaccess

Another area of the registry that can provide info is the Protected Storage area. the info held in Protected Storage is mantained in an encrypted format in the registry. An administrator or investigator can find thse ID’s in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\ProfileList key

*Event Logs
Stored in files within the file system, and can change rapidly depending on how they are configured and what events are being audited.
Depending on how the audit policies are configured on the victims system and how investigators are accessing it as the first responder, entries can be generated within the event logs.
Investigators can use tools usch as PsLogList and DumpEvt to retrieve the event records, or they can copy the event log files themselves off the system.

*Index.dat File
The Internet Explorer (IE) Web browser uses index.dat files as a database that is active as long as a user is logged on in Windows. It is a repository of redundant info, such as visited URLs, search queried, recently opened files, and form AutoComplete information. It’s role is similar to that of an index file in DB, where a technique called indexing stores the contents of a database in a different order to speed up querey responses. Similarly, when the tents of a DB in a different order to speed up query responses. Similarly, when the AutoComplete function is enabled in IE, every Web address visted is sorted in the index.dat file, allowing IE to attempt to find an appropriate match when a user types in an edit field. Separate index.dat files exist for the IE history, cache, and cookies.

In Windows 8, IE 10 does not use Index.dat files. The indexing process is being implemented within a Microsoft Database system. The WebCacheV01.dat file in the C:\Users\username\AppData\Local\Microsoft\Windows\WebCache folder in IE10 in Windows 8 is said to be playing a similar role.

A user might be able to see index.dat files in some locations, and will also be able to see counters.dat file, container.dat file, suggested sites.dat file in the temporty Internet folder, or the History and Cookies folder.

*Connected Devices
an investigator may want to document what devices are connected to a system he/she is investigating. They can use DevCon (devcon.exe), available form Microsoft, to document devices that are attached to a Windows system. DevCon, a command-line replacement for the Device Manager, can show available device classes as well as the status of the connected devices. Investigators can use DevCon to enable, disable, install, configure, and remove devices. DevCon runs on Microsoft Windows 2000 and later versions of Windows.

Slack Space
the space between the end of a file and the end of the disk cluster it is stored in = slack space.In computer forensics, investigators examine slack space because it may contain meaningful data.

Slack space can be used to stealthily store data. If a user makes a small file, the rest o the cluster can be use reliably to store hidden data. This data will be invisible to the file system and remain intect as long as the size of the file is not altered.

the procedure to gather info in slack space is:

1. Connect ot the target computer and select the media
2. Create a bit-level copy of the original media
3. Verify the copy by generating its hash value
   Investigate using keyword searches, hash analysis, and file signature analysis using a tool such as EnCase.

Tool: DriveSpy

Uses DOS commands to navigate a system udner investigation. DriveSpy does not use drive letters in the prompt, but rather a drive/partition combination (e.g, D0P1:\WINDOWS\SYSTEM) to eliminate confusion in the event the resident operating system has not assigned a drive letter to the drive being processes (such as when examining a FAT 32 partition under DOS 6.22)

The following are the types of things DRIVE Spy processes:

• Large hard drives (greater than 8.4 GB)
• Floppy disks and removable media
• FAT 12/16/16x/32/32x partitions
• Hard drives without partitions
• Hidden DOS partitions
• Non-DOS partitions
• long file names
• File creation (Windows 95/98), modifiation (DOS) and access dates (Windows 95/98)
• Erased files (with companion log file name if one exists)
• Skacj soace
• Unallocated space

The following are some of the features DriveSpy includes:

• A built-in sector and cluster hex viewer that can be used to examine DOS and non-DOS partitions
• Configurable logging capabilities to document the invetigation (keystroke by keystroke if desired)
• The ability to create and restore compressed forensic images of drive partitions
• Full scripting capabilities to automate processing activities

*SwapFile/Page File
Swap file- a space on a hard disk used as the virtual memory extension of a computer’s real memory (RAM).
Having a swap file allows the computer’s OS to pretend that the system has more RAM than it actually does. The least recently used files in RAM can be swapped out to the hard disk until they are needed later so that new files can be swapped in to RAM. In some OS, the units that are moved are called pages and the swapping is called paging.

One adantage of a swap file is that it can be organized as a single contiguous space so that fewer I/O operations are required to read or write a complete file. In general, Windows and UNIX-based OS provide a swap file of a default size that the user or a system administrator can usually change.

On Windows, the swap file is a hidden file in the root directory called pagefile.syst. The registry path for the swap file is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\Memory Management

*Windows Search Index
maintains a record of any document or application on a PC, including the content of these files. Users can then quickly search for files using a variety of search techniques, including keyword and file name searches.
the system index must complete an initial scan of a PC. Following the inital scan, any new files are indexed when the PC is idle, and thse files become searchable shortly thereafter. Susequent scans for new files or e-mail messages require a fraction of the time and PC resources to keep the index up to date.

Tool: Search Index Examiner
Passware Search Index Examiner displays all the items indexed by Windows Search. It lists all the files in the index and includes information such as the following:

• Creation and modification dates
• Author
• E-mail recipients
• Content summaries

Hidden Partitions- this is logital section of a disk that is not accessible to the OS. May contain files, folders, confidential data, or backups of the sytem. In Windows 10, there is a built-in Disk Management that has the ability to shrink volume and extend volume. But users will need a 3rd part solution for any advanced partition management tasks.

Hidden ADS
Through an alternate data stream (ADS), users can hide data. An ADS can be created by running a command like notepad visible.txt:hidden.txt at a command prompt. Data can be copied into an ADS by using a command like type atextfile> visible.txt:hidden2.txt. A user can copy the ADS inforamtion in a new file by using a command like more newfile.txt

Question 3

Why is it important for an investigator to capture volatile info first during an investigation?

Answer 3

• Volatile information is information that is lost the moment a system is powered down or loses power.
• Usually exists in physical memory (RAM), and consists of information about processes, network connections, open files, clipboard contents. It describes the system state at a particular point in time.
• One of the first things that an investigator collects is the contents of RAM. Investigators minimize the impact of their data collection on the contents of RAM.

Question 4

What is the function of a network sniffer?

Answer 4

To monitor network traffic such as login credentials to other systems, or to develp a picture of what other sytems are on the network, and what services they are running

Question 5

What is the purpose of a browser cache?

Answer 5

A cache is a place to store something temporarily. The files a user requests by looking at a Web page are stored on the hard disk in a cache subdirectory under the browser directory. When the user returns to a page he/she recently looked at, the browser can get it from the cache rather than the original server, saving time and decreasing network traffic.

Question 6

What are cookies?

Answer 6

A cookie is info that a Web site puts on a user’s hard disk so that the user’s systems can remember something about the site at a later time. Typically, a cookie records user preferences when using a particular site.

Using the Web’s Hypertext Transfer Protocol (HTTP), each request for a Web page is independent of all other requests. For this reason, the Web server has no memory of what pages it has sent to a user previously or anything about a user’s previous vistis. The following are the directories where cache, cookie, and history info is stored for IE:

C:\Documents an Settings\Local Settings\Temporary Internet Files\Content.IE: Sotres all IE actitivies of a user, included cached pages and images

C:\Documents and Settings\Local Settings\History.IE: Stores browers history

C:\Documents and Settings\Cookies: Stores cookies

Question 7

What is an MRU list?

Answer 7

Many applications maintain an MRU list- a list of files that have been mostly used. Within the running application, these file names generally appear at the bottom of the drop-down menu when FILE on the menu bar is selected.

The MRU list registry key:
\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

This key can contain a number of values, all of which are bianary data types. The values investigators are interested in are the ones that have names that are numbers and the one names MRUListEx. the numbered value names contain the names of the files accessed (in Unicode) and the MR{ListEx value maintains the order in which they were accessed (as DWORDs)

The RecentDocs key also has a number of subkeys, each one being the extension of afile that was opened (.doc, .txt, .html, etc) The values within these subkeys are maintained in the same way as in the RecentDocs key: the value names are numbered, and their data contains the name of the file accessed as a binary data type.

Investigators can find another MRU list in the following kdy:

\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

The Run MRU list is maintained in clear text and is more easilty readable than the RecentDocs key. Entries are added to this key when a user clicks th Start button, chooses RUN, and types a command or the name of a file.

Another key:
\Software\Microsoft\internet Explorer\TypedURLs

This key maintains an MRU list of URLs that a user types into the address bar

Another key that holds MRU lists :
\Software\Mirosoft\Winows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

This key maintains MRU lists of file opened via Open and Save As dialogs within the Windows shell. Similar to the RecentDocs key, the OpenSave MRU key also maintains subkeys of specific file extentions that have been opened or saved.

Question 8

What is metadata and how is it used?

Answer 8

Metadata is data about data- embedded electronic data not necessarily seen on a printed document. it described various characteristics of data, including when and whom it was created, accessed, or modified. Because it is not normally seen, users can inadvertently share confidential information when sending or providing files in electronic form.

Some examples of Metadata:
Org name
Author name
Computer name
Network name
Hidden text or cells
document versions
Template inforamtion
Personalized views
Nonvisible portions of embedded OLE objects

• It is important for an investigator to collect metadata, as it provides information abou the following:
• hidden info about the document
• who tried to hide, delete, or obscure the data
• correlated documents from different sources

3 types of metadata:

• descriptive- describes and identifies information resources (ex: unique identifiers, physical attributes, bibliographic attributes)
• structural- provides info about the internal structure of resources (ex: tags such as title page, table of contents, chapters, parts, errata, index)
• administrative- includes technical data on creation and quality control (ex: resolution, bit depth, color space, file format, compression, light source, owner, copyright data, copying and distribution limitations)

**Metadata in differrent file systems***
The most commonly known metadata about files on Windows systems are the file MAC times;
(MAC= modified, accessed, and created)

These are time stamps that refer to the time at which the file was last modified in some way (data was added or removed from the file), last accessed when the file was last opened), and when the file was originally created.

On the FAT file system, times are stored based on the local time of the computer system, wheras the NTFS stores MAC times in Coordinated universal Time (UTC) format, which is analogous to greenwich Mean Time (GMT)

Another aspect of file and directory MAC times that an investigator is interested in the way the time stamps are displayed, based on various move and copy actions.

The following is how time stamps are displayed and changed in the FAT16 file system:

• When a file is copied from one folder to another on the same file system, the file keeps the same modification date, but the created date is updated to the current data and time.
• When a file is moved from one folder to another on the same file system, the file keeps the same modification and creation dates.
• When a file is copied from a FAT 16 partition to an NTFS partition, the file keeps the same modification data, but the creation data is updated to the current date and time.
• When a file is moved from a FAT16 partition to an NTS partition, the file keeps th same moification an creation dates.

The following is how time stamps are disployed and changed in the NTFS:

• When a file is copied from one folder to another on the same file system, the file keeps the same modification date, but the creation date is updated to the current date/time.
• When a file is moved from one folder to another on the same file system, the file keeps the same modification and creation dates.

Viewing Metadata:

• An investigator can view some metadata by using the application that created the file. Ex: the investigator can look at the file properties in Microsoft Office or the document properties in Adobe
• In some cases, an investigator has to use other tools to display the metadata. The folloowing are some of the tools investigators can use: metaviewer, Metadata Analyzer, iScrub

Tool: Metaviewer- a utility that integrates into Windows Explorer as a shell extension. It provides access to Microsoft Office metadata and hash values.

Tool: Metadata analyzer- tool that analyzes Microsoft office documents and alerts the user of any private info disclosure.

Tool: iScrub- allows a user to view and manage metadata in documents. The user can capture the metadata and see whether it poses a security risk. The user can then also use the tool to remove any metadata from a file.

Question 9

What is the difference between static analysis and dynamic analysis of an executable file?

Answer 9

Executable file analysis is a process of gathering info from an executable file. It is classified into two types as follows:

Static analysis: a process that consists of collecting information about and from an executable file without actually running or launching the file in any way.

Dynamic: Involves launching an executable file in a controlled and monitored environment so thats its effects on a system can be observed and documented

• **Documentation Before Analysis**
• full path and location of the file
• MAC time stamp
• Operating system an version
• File system
• User acounts
• IP address
• Any refrences to that file within the file system or registry
• Who found the file and when

Procedure for Static Analysis Process:

1. Scan the suspicious file with antivirus software
2. Search for strings
3. Analyze PE header
4. Analyze import tables
5. Analyze export table

Search for strings: an investigator can run suspicious files through tools usch as Strings an BinText to extract all ASCII and Unicode strings of a specific length. this will help the investigator get an idea of the file’s nature from the string within the file.

PE Header Analysis: File signatures of a portable executable (PE) file consists of a 64-byte sturcture called th IMAGE_DOS_HEADER. The last D Word (e_lfanew) value refers to the adress for of the new EXE file. This vale is defined in the ntimage.h header file the e-kfanew value points to the location of the PE header. An investigator can use the PF.view tool to view the PE header.

Import Table Analysis: Information about DLLs and the functions accessed by an executable is maintained in the import table an the import address table of the executable file. An investigator can use tools such as PEDump and Dependency Walker to access the import table inforamtion. He/she can identify the import data directory and parse the structures to determine the DLLs and their functions. The tools also allow the investigator to gather networking code from the import tale of the DLLs.

Export Table Analysis:
Executable files can import the function provded by DLLs. DLLs maintain a table of functions available called an export table. An investigator can collect info about chained or cascading DLL dependencies using PEDump or Dependency Walker.

• Dynamic Analysis Process
  1. Create a testing environment
  2. Use virtualization tools such as Bochs, Parallels, Microsoft’s Virtual PC, Virtual Iron, and VMware
  3. Start the process of testing the executable

Creating a Testing Environment
1. Run the executables to be tested on a different system than the victim system

2. Do not connect the test system to the victim system through the network
3. Re-install the OS after each test
4. Work on a virtual platform

Collecting Information Using Tools- an investigator can gather network connectivity info using different tools:

• Use the network sniffer tools to gather network connectivity inforrmation. This will help the investigator know whether the executable is making attempts to communicate to a remote system or to open a port to listen for connections.
• Record TCP and UDP port activity usin the Port Reporter tool
• Use the Process Monitor tool to see files an registry keys that were created or modified, and to view a timeline of activity

Dynamic Analysis Steps: The steps for actually performing dynamic analysis are as follows:

1. Ensure that all monitoring tools are updated
2. Ensure that all monitoring tools are configured property
3. Create a log storage location
4. Prepare the executable to be analyzed
5. Launch bsseline phase of snapshot tools
6. Enable real-time monitoring tools
7. Launch the executable
8. Stop real-time monitoring tools and save th data
9. Launch second phase of snapshot tools and save the data

Question 10

Describe the MD5 algorithm

Answer 10

Mesage-Digest algorithm 5 (MD5) was designed by Ron Rivest in 1991. It is a cryptographic hash function with a 128-bit hash value and is used in security applications and to check the integrity of files.

MD5 prcesses a variable-length message into a fixed-length output of 128 bits. The imput message is broken up into chunks of 512-bit blocks (16, 32-bit little endian integers) a message is paed so that it’s length is divisible by 512.

The padding is done as follows:

1. First, a single bit, 1, is appened to the end of the message.
2. It is followed by as many zeros as required to bring the length of the message up to 64 bits fewer than a multiple of 512
3. The remaining bits are filled up with a 64-bit integer representing the legth of the original mesage, in bits

The main MD5 algorithm operates on a 128-bit state, divided into 4, 32-bit words, denoted A, B, C, and D. These are initialized to certain fixed constants. The main algorithm then operates on each 512-bit message block in turn, each block modifying the state. The processing of message block consists of 4 similar stages, termed rounds; each round is composed of a similar operations based on a non-linear function F, modular addition, and left rotation.

Tool: Chaos MD5
A free MD5 generator for Windows. With this program, an investigator can generate an MD5 checksum for any file. It also generates a unique signature for each input file. The investigator can then use the MD5 checksum to check file integrity.

Tool: Secure Hash Signature Generator
Secure Hash Signature Generator generates hash signatures for the data stored ona disk drive. An investigator can use these signatures to verify data integrity. The tool is compatible with PATA, SATA, and SCSI drives. It generates MD5 (128-bit signature), SHAI (160-bit sinature), and CRC32 (32-bit signature) hashes.

Tool: MAT-MDS
Mat-MD5 allows an investigator to check the MD5 hash for a file and compare that hash with other MD5 strings. It processes one or more files and adds the resulting MD5 value to a list. The investigator can then compare that value to any other value in the list.

Tool: MD5 Checksum Verifier
MD5 Checksum Verifier uses MD5 to check the integrity of files. With it, an investigator can create MD5 checksums to verify the files integrity at a later time

Question 11

Recycle Bin

Answer 11

when file is deleted, it is not really gone.
As a user on a ystem begins to delete files through the shell, a subdirectory is created for that user within the Recycler directory; that subdirectroy is named with the user’s security identifier, SID
C:\Recycler\S-1-5-21-1454471165-630328440-725345543-1003

when the investigator opens the Recycle Bin from the desktop, the current user’s subdirectroy is automatically opened for view. Files sent to the Recycle Bin are maintained accorinding to specific naming convention:

D,