CNS 320 COMPUTER FORENSICS & INCIDENT RESPONSE

Week 5 Lab

Copyright 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Mount dblake sample image as in Lab2

Windows and Linux

By the way

Note that you should do any necessary tool downloading from your host system rather than your SIFT Kit Unless, of course, youve applied all recommended current security updates

Hands-on Extraction & Analysis (1)

1. 2.

Thumbnails

vinetto

Link Files
Tzworks LNK Parsing Utility - lp Joachim Metz - lnkinfo Win7 Jumplists

3.

Tzworks Jump List Parser jmp (download)

4.

Prefetch files

Tzworks Prefetch Parser - pf Harlan Carvey pref.pl

Linux Thumbs.db Analysis

Run vinetto on the Thumbs.db file from the xp_dblake.dd folder /Documents and Settings/Donald Blake/My Documents/My Pictures

mkdir /tmp/thumb vinetto -o /tmp/thumb /mnt/windows_mount_2/Documents and Settings/Donald Blake/My Documents/My Pictures/Thumbs.db Examine the output, and the extracted results in /tmp/thumb

Optional: Windows Thumbs.db analysis

Drag & drop the same thumbs.db file onto Windows File Analyzer on your desktop

Linux Link File Analysis

Examine all the .lnk files under the xp_dblake.dd folder /Documents and Settings/Donald Blake/Recent using lnkinfo commandlines such as the following:

lnkinfo /mnt/windows_mount_2/Documents and Settings/Donald Blake/Recent/Blue Harvest Business Plan v1.doc

Optional: Windows Link File Analysis

Two things to try

Drag & Drop LNK File onto Windows File Analyzer, on your desktop Download & install current version of Tzworks link parsing utility from http://www.tzworks.net/download_links.php

Linux Jumplist Analysis

My sample images are XP. I extracted the Jumplists from another workstation (my daughters laptop) for analysis. Extract the files from jumplists.zip and have at it! Download commandline jmp utility (Win or Linux) from http://tzworks.net/download_links.php Jumplists are normally located in two folders under the profiles appdata:

%APPDATA%\Microsoft\Windows\Recent\AutomaticD estinations\[AppID].automaticDestinations-ms %APPDATA%\Microsoft\Windows\Recent\CustomDest inations\[AppID].customDestinations-ms

jmp <Destinations filename> > results.txt

Optional Windows Jumplist Analysis

Double-click on Jumplister on your Windows SIFT Kit desktop

Load up various destinations files one by one

10

Linux Prefetch Analysis

Use pref.pl to examine the entire prefetch folder on the xp_dblake.dd image

pref.pl d /mnt/windows_mount_2/WINDOWS/Prefe tch

Use pref.pl to examine each prefetch file created on Jan 19th

pref.pl f /mnt/windows_mount_2/WINDOWS/Prefe tch/LOGON.SCR-151EFAEA.pf p -i

Optional: Windows Prefetch Analysis

Three things to try

You can drag & drop individual prefetch files onto Windows File Analyzer (only understands small minority of artifacts) Double-click Prefetch Parser, tell it where to find the prefetch files to be analyzed, give it a newly created folder to store its results in, and hit parse prefetch files Download & install current version of tzworks prefetch parser from http://www.tzworks.net/download_links.php (command line tool)

Sample commands:

C:\Users\SANSForensics408\Desktop\pf32.v.0.98.win\pf -v F:\[root]\WINDOWS\Prefetch\LOGON.SCR-151EFAEA.pf dir c:\windows\prefetch\*.pf /b /s | C:\Users\SANSForensics408\Desktop\pf32.v.0.98.win\pf -pipe -v -csv > results.csv

-pipe: dir input, -v: output all artifacts. csv: output in csv format (view with Excel)

12

Questions?

13