I have a large number of hash hits in a case I'm working found in the \users\<username>\AppData\Local\Temp\ directory. Is there any way to determine which application placed these files here?
OS is Windows 7.
There are several things you can try…
First, what are the contents of the files? You mentioned hashes…of images or EXE files? I'd take a look at the contents of the files themselves and see if I can find any indications that might point to a specific application.
Another place to look (b/c this is Win7) is Prefetch files
http//
Prefetch file analysis can be very useful. What you would want to look for is indications within the module strings embedded within the Prefetch files of paths to the files in question, or just the directory.
Finally, I'd strongly recommend that you create a timeline of system activity, with heavy emphasis on user activity. If it were me, I would be particularly interested in program execution of any kind…not just the contents of the UserAssist subkey values, but also things like AppCompatCache (Mandiant refers to this as "shim cache"), MUICache entries for the user, shellbags (provide an indication of folders accessed by the user), Direct* key entries, Java deployment cache index (*.idx) files, etc. I would also include web history, as well…although that can become very cumbersome, it might prove to be extremely valuable. What I would look for in the timeline, once it was created, is any activity that occurred immediately prior to the files in question being created on the system.
I've had to do this sort of analysis several times myself, and found that a timeline can make this stuff just fall into place.
HTH.
Thanks for the quick reply. I will look into the prefetch files and see about a timeline. Time is short to finish this, so I'm not sure I'm going to get to the timeline.
However, I did look at the files again. I had overlooked the fact that many of them are .part files–even though they are a complete download of the original file. The user has Firefox installed, and I think Firefox creates .part files when downloading. I'll need to research under what circumstances these are stored in AppData\Local\Temp. My guess is when the files are opened from within Firefox–as opposed to being downloaded and saved first.
This is an intellectual property theft case. Mostly PDF and Excel files with a few Word docs thrown in for good measure.
Time is short to finish this, so I'm not sure I'm going to get to the timeline.
That's interesting…I have always found timelines to be the best use of time, particularly when time is short.
What tool do you use to create the timeline? I've found timelines in EnCase are too cumbersome to deal with.
Although maybe I'm chaning my opinion. I did see Firefox was in use at the time these files were placed in Temp.
What tool do you use to create the timeline? I've found timelines in EnCase are too cumbersome to deal with.
My understanding of EnCase is that the timelining capability applies only to file MACE times.
I use my own process, as outlined in Chapter 7 of "Windows Forensic Analysis Toolkit 3/e".
I appear to be behind the times. I only have the second edition. Ordering 3E now.
Thanks again for your help. I think I have what I need for this case now, but I'll look at the timeline method you recommend for future cases.
Timelines are valuable and powerful analysis technique, but there are dependent upon a couple of things…
For one, you really have to have a handle on the context of the data that you're adding to a timeline. I've created timelines using nothing more than portions of IIS web logs and file system metadata…for a SQL injection case, that was all that was needed, and provided me with something of a .bash_history file of what occurred.
In other instances, you may want to incorporate much more data, as you may not have a specific footprint that you're looking for. In such cases, including the LastWrite times of all Registry keys along with specific Registry value data can prove to be extremely valuable, and I've seen this time and time again.
Timelines provide context to what you're looking at…take your original question, for example. A single file, or just a couple of files on a system really don't have much context other than their content and location. However, add other information to the timeline, and you begin to see which user was logged in, what they were doing (i.e., web surfing), and you not only begin to develop that context, but you also begin to build your relative level of confidence in the data itself. What I mean by that is that there are "issues" on Windows systems, not only that some time stamps are easily mutable, but others are not updated through normal user activity. The more sources of information we have to corroborate a specific event, the more likely that event is to have occurred at the time in question.
Right now, there is one primary means for creating timelines that most folks are familiar with…log2timeline, endorsed by SANS. I use my own tools not because I don't like log2timeline, but because I prefer a modicum of control as to the data that gets added to the timeline. For example, I can modify a single tool to provide more visibility or granularity in the data added to the timeline, without having to update/recompile an entire framework. One of the things I've done recently is add an alerting capability to some of the tools (Prefetch file parser, RegRipper, etc.) to provide indications of those things that I've found in previous engagements. Also, separate tools allow me to focus on an area (Prefetch files, Java deployment cache index files, etc.) and limit the actual scope of the data that goes into the timeline. I don't always want everything dumped into a timeline in an automated fashion…and some of the more publicly available tools don't get 'everything'.
For timelines, I use log2timeline (already part of SIFT), or 4n6time, which is new but quite capable from the little I have played with it.
Since you already have a suspicion that it is Firefox, I wouldn't bother with a timeline yet. I would take a test VM, do various tests with Firefox, and see if you can create analogous files on your own. Why waste the step of making a timeline if you may already have the answer?
For timelines, I use log2timeline (already part of SIFT), or 4n6time, which is new but quite capable from the little I have played with it.
You're correct, log2timeline is quite capable, but you also have to be aware of what it does not provide, as well. Relying solely on log2timeline, you could be missing critical pieces of information (Jump Lists, Java *.idx contents, specific Registry data, etc.).
Since you already have a suspicion that it is Firefox, I wouldn't bother with a timeline yet. I would take a test VM, do various tests with Firefox, and see if you can create analogous files on your own. Why waste the step of making a timeline if you may already have the answer?
"Waste the step"?
Creating a timeline is very easy, and requires MUCH less effort than would be required to set up a VM and then work through various scenarios in a trial-and-error fashion, in an attempt to recreate/replicate the files in question.
"Do various tests" sounds little open-ended, while "create at timeline" is much more definitive.