ESCForensics
Friday, November 30, 2012
Timeline Analysis
Log2timeline 0.65 on Windows 7 with Strawberry Perl
Install Strawberry Perl 5.16.2.1 from http://strawberryperl.com.
Open a command prompt and past the following into it to install the additional perl modules log2timeline needs:
cpan DateTime Date::Manip XML::LibXML Carp::Assert Digest::CRC Data::Hexify Image::ExifTool File::Mork DateTime::Format::Strptime Parse::Win32Registry HTML::Scrubber Mac::PropertyList XML::Entities
**Note, run this command a few times to make sure that everything installed correctly, if it did you should see the following results.
C:\Users\matt>cpan DateTime Date::Manip XML::LibXML Carp::Assert Digest::CRC Data::Hexify Image::ExifTool File::Mork DateTime::Format::Strptime Parse::Win32Registry HTML::Scrubber Mac::PropertyList XML::Entities
CPAN: CPAN::SQLite loaded ok (v0.202)
Database was generated on Sun, 02 Dec 2012 09:01:35 GMT
CPAN: Module::CoreList loaded ok (v2.76)
DateTime is up to date (0.78).
Date::Manip is up to date (6.37).
XML::LibXML is up to date (2.0012).
Carp::Assert is up to date (0.20).
Digest::CRC is up to date (0.18).
Data::Hexify is up to date (1.00).
Image::ExifTool is up to date (9.04).
File::Mork is up to date (0.3).
DateTime::Format::Strptime is up to date (1.52).
Parse::Win32Registry is up to date (1.0).
HTML::Scrubber is up to date (0.09).
Mac::PropertyList is up to date (1.38).
XML::Entities is up to date (1.0001).
Download log2timeline_0.65 from http://code.google.com/p/log2timeline/ and extract it.
Once its extracted, cd into the log2timeline_0.65 directory that was just created and delete the file lib/Log2t/input/pcap.pm
Create a file named install.bat in the log2timeline_0.65 directory and put the following commands in it:
xcopy /S lib\Parse\* c:\strawberry\perl\lib\Parse\
mkdir c:\strawberry\perl\lib\Log2t
xCopy /s lib\Log2t\* c:\strawberry\perl\lib\Log2t\
Copy lib\Log2Timeline.pm c:\strawberry\perl\lib\Log2Timeline.pm
Copy log2timeline c:\strawberry\perl\site\bin\log2timeline.pl
Copy l2t_process_old c:\strawberry\perl\site\bin\l2t_process.pl
Copy timescanner c:\strawberry\perl\site\bin\timescanner.pl
Run the install.bat you just created from inside your log2timeline_065 directory.
Once its finished you should have a working copy of log2timeline on your Windows system.
You can now just run "log2timeline.pl" from a command prompt and feed it some date, for instance Evidence files collected from TriageIR.
See the following for basic instruction on using Rob Lee's Color Excel Template for analyzing your timeline.
http://computer-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-timeline-template-for-log2timeline-output-files
Friday, November 9, 2012
Analyzing Thumbcache
In Windows XP/2000, when a user viewed files as thumbnails in Windows
Explorer, Windows would create a hidden system file named Thumbs.db in
that directory and store a thumbnail-sized graphic in JPG format of each
of the files, keeping the original name and file extension. Generally
speaking if you found a Thumbs.db file in a folder it would correspond
to images that where viewed as thumbnails in that folder...barring any
tampering that a user may have done, eg. copying a Thumbs.db from a
different folder to that folder, etc. Also, generally speaking, by
checking the Security properties of the Thumbs.db you could tell by the
Owners of the file, who the file was tied to.
As seen using Eric Kutcher's ThumbsViewer These files could be of forensic importance in that even if a user had deleted the actual incriminating files from the directory, the contents of the Thumbs.db file would be left behind unless specifically "cleaned" by a user with something like CCleaner, or by deleting the actual Thumbs.db file itself.
Starting with Windows Vista, Microsoft switched from using directory level Thumbs.db database files to storing image thumbnails in a single folder structure which holds individual files that track all the viewed items, based on the icon size selected. Thumbcache files are directly tied to each user, storing the files in the following directory:
\Users\%username%\AppData\Local\Microsoft\Windows\Explorer
This directory contains following files:
thumbcache_idx.db
thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and thumbcache_1024.db
thumbcache_sr.db
The thumbnails stored in Thumbcache db files in are stored in various formats, for example original.jpg will be stored as a .jpg and original.png will be stored as .png, but do not retain the original name, instead being renamed with a Unicode string, called a ThumbnailCacheID. This time we'll use Eric Kutcher's Thumbcache Viewer to view the same set of images as above in our XP Thumbs.db file from a Windows 7 Thumbcache db. Notice the difference in the selected "FileNames" even though they are the exact same image on both system.
Unfortunately, there is no information in the Thumbcache db that can easily link thumbnails with original file names or locations. One way we can do this is to use Windows Search (Windows.edb) database, which can be found at C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb on Windows 7. Windows.edb stores the ThumbnailCacheID as part of its metadata for indexed files. We can view Windows.edb database file contents using Woanware's EseDbViewer.
First, a quick side note. Many times when trying to access a Windows.edb file you've taken from a forensic image you will get an error trying to open it indicating that the file is corrupt. To fix this issue, use the Windows built-in command esentutil with the /p option and pointing it at the Windows.edb file you want to fix. Occasionally, I've had to run this command more than once to get it to fix the file.
Once its fixed, open it in EseDbViewer, selecting Generic Mode.
We are interested in the Table named SystemIndex_0A so select that one.
Next we are going to export this selected table to csv output so that we can search it easily. Once it has been exported, open it in Excel and you can now search for the ThumbCacheID value of the specific image you are interested in. Note, there are numerous fields exported and there may be a lot of empty entries in your csv file as not all indexed files contain the same metadata. For our example we can see from the image above in Thumbcache Viewer that the image we are interested in had been renamed to 7fa896b6df7fc307.jpg so we want to search for the string 7fa896b6df7fc307. I use a simple Find for that string in my excel file and find the following entry (with a great deal of extra information removed so we only see what is important for this example).
.jpg IrfanView JPG File file:C:/Users/mattylp/Pictures/size2_4e79a01ca167b.jpg 7fa896b6df7fc307
The Windows.edb file shows me this was type .jpg, the registered viewer for it on the system was IrfanView, the original filepath and name were C:/Users/mattylp/Pictures/size2_4e79a01ca167b.jpg and its ThumbCacheID is 7fa896b6df7fc307. Note, this filename is exactly the same as the filename which we had when we looked at this image in our Windows XP Thumbs.db file.
As seen using Eric Kutcher's ThumbsViewer These files could be of forensic importance in that even if a user had deleted the actual incriminating files from the directory, the contents of the Thumbs.db file would be left behind unless specifically "cleaned" by a user with something like CCleaner, or by deleting the actual Thumbs.db file itself.
Starting with Windows Vista, Microsoft switched from using directory level Thumbs.db database files to storing image thumbnails in a single folder structure which holds individual files that track all the viewed items, based on the icon size selected. Thumbcache files are directly tied to each user, storing the files in the following directory:
\Users\%username%\AppData\Local\Microsoft\Windows\Explorer
This directory contains following files:
thumbcache_idx.db
thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and thumbcache_1024.db
thumbcache_sr.db
The thumbnails stored in Thumbcache db files in are stored in various formats, for example original.jpg will be stored as a .jpg and original.png will be stored as .png, but do not retain the original name, instead being renamed with a Unicode string, called a ThumbnailCacheID. This time we'll use Eric Kutcher's Thumbcache Viewer to view the same set of images as above in our XP Thumbs.db file from a Windows 7 Thumbcache db. Notice the difference in the selected "FileNames" even though they are the exact same image on both system.
Unfortunately, there is no information in the Thumbcache db that can easily link thumbnails with original file names or locations. One way we can do this is to use Windows Search (Windows.edb) database, which can be found at C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb on Windows 7. Windows.edb stores the ThumbnailCacheID as part of its metadata for indexed files. We can view Windows.edb database file contents using Woanware's EseDbViewer.
First, a quick side note. Many times when trying to access a Windows.edb file you've taken from a forensic image you will get an error trying to open it indicating that the file is corrupt. To fix this issue, use the Windows built-in command esentutil with the /p option and pointing it at the Windows.edb file you want to fix. Occasionally, I've had to run this command more than once to get it to fix the file.
Once its fixed, open it in EseDbViewer, selecting Generic Mode.
We are interested in the Table named SystemIndex_0A so select that one.
Next we are going to export this selected table to csv output so that we can search it easily. Once it has been exported, open it in Excel and you can now search for the ThumbCacheID value of the specific image you are interested in. Note, there are numerous fields exported and there may be a lot of empty entries in your csv file as not all indexed files contain the same metadata. For our example we can see from the image above in Thumbcache Viewer that the image we are interested in had been renamed to 7fa896b6df7fc307.jpg so we want to search for the string 7fa896b6df7fc307. I use a simple Find for that string in my excel file and find the following entry (with a great deal of extra information removed so we only see what is important for this example).
.jpg IrfanView JPG File file:C:/Users/mattylp/Pictures/size2_4e79a01ca167b.jpg 7fa896b6df7fc307
The Windows.edb file shows me this was type .jpg, the registered viewer for it on the system was IrfanView, the original filepath and name were C:/Users/mattylp/Pictures/size2_4e79a01ca167b.jpg and its ThumbCacheID is 7fa896b6df7fc307. Note, this filename is exactly the same as the filename which we had when we looked at this image in our Windows XP Thumbs.db file.
Subscribe to:
Posts (Atom)