Windows USB Activity Artifacts

Posted on January 13, 2012 by DougMorris
  1. First connection time — setupapi.log
  2. First time connected after last reboot — DeviceClasses
  3. Last time connected — MountPoints2/{GUID} in NTUSER.DAT
    Where to find Windows USB Activity Artifacts.

 

Posted in Computer Forensics FAQ's, Digital Forensics, Windows Forensics | Tagged | Leave a comment

General Information about Incident Response

Posted on November 28, 2011 by DougMorris

Required Steps to Incident Response
accomplish the following objectives:

• Confirm the initial method of intrusion and its timing.
• Determine the scope of the compromise.
• Determine data loss/exposure.
• Assess compliance with PCI-DSS guidelines.
• Identify remediation steps to address the breach.

Perform the following activities to achieve these objectives:

• Meet with primary responders to understand the tasks already performed, the information collected and what sources of information were available.
• Analyze malware on compromised machines to identify additional indicators of compromise.
• Collect network logs and live response data and forensic images from key systems.
• Analyze evidence to identify attacker activities and additional indicators of compromise.
• Scan the network for indicators of compromise on servers and workstations.
• Document findings and remediation recommendations.
• Review remediation plans for appropriateness.

Attacker Techniques–

sn.exe, the network based sniffer, looks for cardholder data using regular expressions by using a simple string comparison loop that looks for a sixteen-digit number, with the first digit of 3, 4, 5 or 6, and all of the other digits between 0-9, followed by ^, = or D.

Code obfuscation is a publicly used technique that malware analysts battle on a daily basis.

Sometimes anti-virus does not flag tools used by attackers because these tools do have legitimate purposes, which may discourage A/V companies from adding a signature for them into their database or because the tools were unknown to A/V vendors at the time.
Many attackers use PSExec when performing intrusions and many system administrators use PSExec when performing system maintenance. 

To assit in identifing polymorphic malware, Red Curtain can be used and to do entropy calculation and binary file analysis across an enterprise, Intelligent Response can be used. The PE header analysis features in Red Curtain are also in the MIR agent. (It can also do live memory analysis of some of the same items.)

On the Internet, hundreds or thousands of miles may not make any difference. It can be as little as another couple milliseconds.

Attackers use certain methods to target their hosts:

■Execute the “net view” command and use host naming conventions to guess which systems are likely to store credit data. (A system named CardData001 might be a good place to start.)
■Utilize tools like sn.exe to identify the path of credit data via network captures, and then attack the endpoints.

Some analysts have observed malware that directly accesses and scans a process memory – sometimes only specific processess – and records cardholder or track data to a log file.

Advanced Persistent Threat attackers escalate their attack techniques as the victims strike back. The attackers only escalate far enough to avoid detection by the defenders.

The APT’s goal is different than the CDT gangs. The APT wants to get in and stay in; the CDT usually wants to get in and get out, therefore, using different tactics.

Posted in Computer Forensics FAQ's, Digital Forensics, Incident Response, Network Forensics | Tagged | Leave a comment

Mac Forensics Relevant plist Entries

Posted on October 19, 2011 by DougMorris

Mac Forensics; Basic analysis of plist entries

Some of the common plist artifact locations for forensic analysts are–

 

  • user folder
    /Library/Preferences/com.apple.loginitems.plist
  • user folder
    /Library/Preferences/com.apple.recentitems.plist
  • root
    /Library/Preferences/SystemConfiguration/
    com.apple.airport.preferences.plist
  • root
    /Library/Preferences/SystemConfiguration/
    com.apple.network.indentification.plist
  • user folder
    /Library/Preferences/com.apple.finder.plist
  • user folder
    /Library/Preferences/com.apple.iPod.plist
  • user folder
    /Library/Caches/Safari
  • user folder
    /Library/Safari/

    • History.plist
    • Downloads.plist
  • user folder
    Library/Application Support/Firefox/Profiles
  • user folder
    /Library/Application Support/Adium 2.0/Profiles
Posted in Computer Forensics FAQ's, Digital Forensics, Macintosh Forensics | Leave a comment

EnCase Email Parsing

Posted on June 8, 2011 by DougMorris

AOL organizes their PFC container in a way that has
some similarites with file systems. As a result, there are two different main
data types: One is used to organize Favorites, Download Links and Emails in a
tree structure (similar like MFT entries at NTFS volumes), and the others are
the Emails themself with their content. Both information could be stored at
different location within the PFC file. Important is, that an Email with its
content is usually referenced by an entry of the tree structure data type (I
call them envelopes). For deleted Emails, it’s possible that their envelope get
overwritten by an envelope of another email. As a result it’s possible to find
entire Email records of deleted emails, which are no longer referenced by an
envelope. So you might find a complete but deleted email, without beeing able to
tell in which folder the email were last stored before it was deleted. Those
Emails should be collected in the Lost Content Folder by encase, similar to the
lost files folder on NTFS volumes.

In addition: The deleting of old
emails and the storage of new ones, can produce a certain amount of entry slack
within the PFC file (newer emails may use less amount of bytes than the
previously deleted email, leaving some bytes unused at the end of the new
email). The AOL software maintaince therefore a
slack index table with fileoffsets and sizes of unused memory blocks within each
PFC file. Those unused memory areas within the PFC files could include
information of deleted emails or just fragments of such. Information referenced
by the slack index table should be shown in the slack table folder by
encase.

Both of the above descriptions are assumptions on how encase
handles AOL PCF files, based on my knowledge about
the AOL format.

Posted in Computer Forensics FAQ's | Leave a comment

MAC Forensics Location of Common Artifacts

Posted on May 27, 2011 by DougMorris

OS Installation Date

•/private/var/log/OSInstall.custom (10.5)
•/private/var/db/.AppleSetupDone (10.6) this file also contains the registration info entered by the user during initial setup

Operating System Version

•/System/Library/CoreServices/SystemVersion.plist (OS X Client)
•/System/Library/CoreServices/ServerVersion.plist (OS X Server)

Software Installation

•/Library/Receipts/InstallHistory.plist – History of installed applications and updates
•/Library/Preferences/com.apple.SoftwareUpdate.plist – Last Software Update

Current Time Zone

•/etc/localtime (link file pointing to current time zone) OR
•/Library/Preferences/.GlobalPreferences.plist

Auto-Login and Last Login User Info

•/Library/Preferences/com.apple.loginwindow.plist

Deleted Users

•/Library/Preferences/com.apple.preferences.accounts.plist

Home Folders

•/Users/username

Attached Media

•/Users/username/Library/Preferences/com.apple.sidebarlists.plist – history of attached media, volumes devices, etc.
•see our page on USB devices

File Sharing

•/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist

iPhone/iPod

•see our page on USB devices
•/Users/username/Library/Application Support/MobileSync/Backup – folder where iPhone, iPod Touch and iPad sync their data to
•/Users/username/Library/Application Support/MobileSync/Backup/UUID/Info.plist – contains info on the exact device synced (Backup), modified date of this file is the last time it was synced

iTunes Information

•/Users/username/Music/iTunes/ – default location for iTunes Library

User Auto-Launch Items

•/Users/username/Library/Preferences/loginwindow.plist

Network Settings

•/Library/Preferences/com.apple.alf.plist – Firewall Settings
•/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist – Airport (Wireless) Settings
•/Library/Preferences/SystemConfiguration/com.apple.nat.plist – Internet Sharing Settings
•/Library/Preferences/SystemConfiguration/com.apple.network.identification.plist – Historical Network TCP/IP Assignments with Timestamps
•/Library/Preferences/SystemConfiguration/com.apple.NetworkInterfaces.plist – Onboard Interfaces
•/Library/Preferences/SystemConfiguration/com.apple.preferences.plist – Network Configuration for each interface

Screen Sharing

•/Users/username/Library/Application Support/Screen Sharing

Bluetooth History

•/Library/Preferences/com.apple.Bluetooth.plist

Instant Messaging

•/Library/Preferences/com.apple.iChat.AIM.plist
•/Library/Preferences/com.apple.iChat.plist
•/Library/Preferences/com.apple.iChat.SubNet.plist
•/Users/username/Library/Preferences/com.aol.aim.plist
•/Users/username/Library/Preferences/com.adiumX.adiumX.plist
•/Users/username/Library/Preferences/com.apple.iChat.AIM.plist
•/Users/username/Library/Preferences/com.apple.iChat.plist
•/Users/username/Library/Preferences/com.apple.SubNet.plist
•/Users/username/Library/Preferences/com.skype.skype.plist
•/Users/username/Library/Preferences/com.yahoo.messenger3.plist
•/Users/username/Library/Preferences/com.yahoo.messenger3.Users.screenname.plist

Peer to Peer

•/Users//Library/Preferences/Limewire/*

Safari

•/Users/username/Library/Safari/Bookmarks.plist – User’s Bookmarks
•/Users/username/Library/Safari/Downloads.plist – Contents of the user’s Downloads window in Safari
•/Users/username/Library/Safari/History.plist – Safari browser history
•/Users/username/Library/Safari/LastSession.plist – defines the last browsing session (window and tabs that were open)

Log Files

•/private/var/log/*
•/Users/username/Library/Logs/*

Sleep File and Virtual Memory

•/private/var/vm/sleepimage
•/private/var/vm/swapfile0

Posted in Macintosh Forensics | Leave a comment