Doing my first assi...
 
Notifications
Clear all

Doing my first assignment of a forensic computing degree.

8 Posts
5 Users
0 Likes
643 Views
(@artee)
Posts: 13
Active Member
Topic starter
 

Hey all,

wondering if i could pick your brains for a moment or two.

This year i have started a forensic computing degree and although i have been doing it since december, we really haven't done any "forensics" yet. Most of it has been talking about the job role etc.

We have now been given our first assignment (about artifacts that are left behind via online storage applications installed, used and deleted on a machine). One of the things we have been told to look at are important reg keys that are altered during this. Thing is, due to no real hands on up until now, i'm a little unsure as to what reg keys would be the important ones.

I have done a fair bit of searching and see that this has been done before and people have listed reg keys, but they haven't really stated why they are important.

Could anyone point me in the right direction at all?

Thanks in advance.

 
Posted : 13/12/2014 8:22 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I have done a fair bit of searching and see that this has been done before and people have listed reg keys, but they haven't really stated why they are important.

Could anyone point me in the right direction at all?

Thanks in advance.

Well, you are a bit "vague" I presume you are talking of a MS Windows OS, possibly Windows 7 or 8/8.1 and of a given (or two or more) "online storage application(s)".

Each specific "online storage application" may use (create/modify/delete) a number of specific keys in the Registry of a Windows OS, but it may well create (or fail to create) other artifacts on a system (like - say - temporary files), but as well there may be another whole set of OS originated artifacts (other registry keys, events recorded in event log, etc.) that may help in answering the commonly asked questions.

The questions asked in a forensic context are usually

  1. WHAT has been done?
  2. WHEN has it been done?
  3. WHO did it?
  4. [/listo]

    So, in a nutshell, *any* item (be it a registry key, a recorded event, a deleted file, an access time to a given file, etc.) that helps directly or indirectly to answer any of the three questions is "important".

    Post a link to what you actually found on the specific topic and some more details on the specific OS and program you are dealing with and likely you will have a more focused suggestion.

    jaclaz

 
Posted : 13/12/2014 8:56 pm
(@athulin)
Posts: 1156
Noble Member
 

We have now been given our first assignment (about artifacts that are left behind via online storage applications installed, used and deleted on a machine). One of the things we have been told to look at are important reg keys that are altered during this. Thing is, due to no real hands on up until now, i'm a little unsure as to what reg keys would be the important ones.

The first question is, generally, which reg keys are involved at all.

As you don't state the application, no detailed answer is possible, I believe.

There's a very useful Windows tool over at SysInternals called Process Monitor, which can be used to see what registry entries a process reads, creates or modifies. You need to know how it works. Check out the SysInternals 'Learning Resources' page for related videos and webcasts. If you happen to have Honeycutt's Windows Registry Guide, there's an worked-through example how to identify some of the registry entries used by a particular Windows utility, byt making ProcMon focus on registry keys accessed by a particular process (the utility under examination), and view exactly what happens every time a single setting is modified.

Sandbox utilities can also be useful, but they work a bit differently. I like SandboxIE, but there are other similar tools.

 
Posted : 14/12/2014 4:23 pm
(@artee)
Posts: 13
Active Member
Topic starter
 

Hey,

Thanks for the replies. )

I have the choice to do the assignment over as many windows OS's as i want so i am doing it mainly on 7 and then will run the same tests on 8.1 to compare and note any differences i come across.

The services we have been told to look at are Dropbox, Bitcasa and Cubby.

We were given the link to the SysInternals tools and told to use process explorer to get the PIDs to help us filter what the installers/uninstallers do via process monitor.

I have now installed, used and uninstalled the applications and during each of these i have used process monitor and exported the results to XML format. Looking though these files in excel is a little daunting and as i said earlier, am a little unsure what is important and not important as there are a fair few of them.

Could anyone guide me how i would narrow down these results for what im looking for.

Thanks again.

 
Posted : 16/12/2014 7:41 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I have now installed, used and uninstalled the applications and during each of these i have used process monitor and exported the results to XML format. Looking though these files in excel is a little daunting and as i said earlier, am a little unsure what is important and not important as there are a fair few of them.

No.
Meaning that *somehow* you are probably "logging to much", and probably you are also logging (no offence intended) the wrong way. ?

When it comes to the Registry (and to the Registry alone), any program will behave as follows

  1. the installer will modify or add a few (a handful, sometimes tens, rarely hundreds) of hives/keys
  2. the program during it's use will modify a few (a handful, sometimes tens, rarely hundreds) of hives/keys
  3. the uninstaller will delete/remove or revert to default the large majority of the above, like 90% or more.
  4. [/listo]
    so what remains after (i.e. what is the essence of the question) should be limited in quantity.

    Try another approach (of course you need to install from scratch each time in a VM, I hope that this is what you are doing) try comparing snapshots of the Registry taken before (brand new install) and after (u.e. after having installed, used and uninstalled the program under exam)
    http//code.google.com/p/regshot/
    http//sourceforge.net/projects/regshot/

    jaclaz

 
Posted : 16/12/2014 7:56 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Hi BMonkey,

I would recommend taking the approach of

1) Create a document and save it as "Key Words"

Keep this document open and add to it as you discover words of interest that one might want to search the entirety of the evidence for.

Examples in your case might be "DropBox", "SkyDrive", "johndoe@gmail.com", "John Doe"

You will come across important clues as your analysis proceeds and you need to maintain at least one document that tracks key, or important, words, terms and phrases.

2) Identify user accounts on the machine. Windows machines will have SIDs for each account.

(http//en.wikipedia.org/wiki/Security_Identifier)

An easy way to do this is to import the forensic image into FTK Imager and look at the SIDs listed in under the Recycle Bin.

You will want to identify the Relative ID (the last digits of the SID) that relates to the user account you are investigating. The RID will most likely be "1001" in your example.

* A tool I enjoy using, Windows Event Explorer, allows one to search and filter by SIDs. This technique allows one to just view actions taken by a specific user account.

3) Build a timeline

Create an Excel file and call it "Master Timeline". You will cut and paste key evidence you find into this timeline report in chronological order. You will be pulling evidence from different tools, so aggregating key evidence into one time line report will be very helpful to your analysis.

I recommend you download and try PassMark's OSForensics tool. I believe there is a demo version that is free for 30 days.

First, mount the forensic image as a virtual drive (using FTK Imager), then point OSForensics at the mounted drive and run OSForensics' "Recent Activity" module.

OSForensics does a wonderful job of creating a chronology of, for example, a user booting up a laptop, searching for the term "dropbox", navigating to the DropBox website, downloading the DropBox local install files, installing Dropbox, uninstalling DropBox.

You can also use Autopsy (The SleuthKit) to build a timeline of activity and compare the Autopsy timeline to the OSForensics timeline.

Once you determine which online storage service you think was used, and the dates you see it being interacted with, then you can perhaps focus in on specific registry keys as needed.

4) Run a Key Word search

If you have used OSForensics or Autopsy to create a full text searchable index of your evidence, you can run a search of your key word list you have built up and then look at the key word responsive hits for further clues.

Good luck!

 
Posted : 16/12/2014 9:50 pm
(@deltron)
Posts: 125
Estimable Member
 

Sans Cheat Sheets FTW http//digital-forensics.sans.org/community/cheat-sheets

This one may help you
http//digital-forensics.sans.org/media/poster_fall_2013_forensics_final.pdf

 
Posted : 18/12/2014 12:25 am
(@artee)
Posts: 13
Active Member
Topic starter
 

Try another approach (of course you need to install from scratch each time in a VM, I hope that this is what you are doing) try comparing snapshots of the Registry taken before (brand new install) and after (u.e. after having installed, used and uninstalled the program under exam)
http//code.google.com/p/regshot/
http//sourceforge.net/projects/regshot/

jaclaz

Thanks everyone for the replies. D

Jaclaz, yeah, i have VMs running for all three pieces of software. RegShot seems like it could be a great help as it does all the comparing etc for me so saves me having to go though all the lines in the excel sheets.

most of us are struggling with this as we have had no hands on with anything like this. Due to this we are assuming he only wants the very basic information on anything we find on artifacts left behind whilst using the software and any security that could hinder any forensic analysis.

 
Posted : 18/12/2014 7:04 pm
Share: