Notifications

Clear all

File Pattern Question

Coax · 2012-09-05T17:58:27Z

Posting this because I'm running short on ideas on my current investigation and hopefully one of you wonderful people could point me to somewhere I haven't thought of looking.The background of this case is standard corporate theft. Guy leaves the company for greener pastures but is suspected of having plundered the network shares for information (it's always the same isn't it roll ). I took the image , loaded it up in AccessData FTK and I extracted a timeline using the log2timeline tool within SIFT Workstation. Operating System is Windows XP.Going through the timeline I notice 5 moments in time during the last working week of this user , where each time hundreds upon hundreds of entries get created in one of the index.dat files .They either point to the temp folder or the network share where some very confidential stuff resides. I included two of the typical entries FTK parsed from the index.dat file(I replaced username and the filename on the network drive by something bogus)URL2012052820120604 username@file///C/Documents and Settings/username/Local Settings/Temp/{B207B3ED-0F74-4893-B998-4258D99443C3}.html accessed time 5/06/2012 53952 +0000 modified time 29/05/2012 115017 +0000 checked time 30/11/1993 124701 +0000 expiration time 15/08/2011 155256 +0000 hits 1 use counts 0 URL2012052820120604 username@file///L/Confidential Folder/Confidential File.doc accessed time 5/06/2012 53952 +0000 modified time 29/05/2012 95513 +0000 checked time 30/11/1993 124701 +0000 expiration time 11/06/2003 144648 +0000 hits 1 use counts 0 So there are about 2000 of these entries in index.dat for each moment in time. This happens about 5 times during the last week, often outside regular business hours. All 2000+ entries always have the same "accessed" timestamp. I interpreted this as a file copy from the network via the laptop to somewhere else.Am I making the right assessment here ? What do these entries pointing to the network drive and the Temp folder mean ? What is my next move ?

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by Coax 13 years ago

14 Posts

7 Users

0 Reactions

1,038 Views

RSS

Coax

(@coax)

Active Member

Joined: 14 years ago

Posts: 10

Topic starter 06/09/2012 7:52 pm

Nothing noteworthy in the shellbags.

I'm just curious…what tool did you use to parse and present this information?

I used RegRipper and the NTUSER plugin.

Meanwhile , thanks for the suggestions !

I don't have any access to the network share but I'm in close contact with the IT guy from our contractor.
I'm going to ask him if he has logging enabled.

There is breakthrough however as I went back and went through the USB devices again and it looks like I missed one the last time around oops What does it mean that it doesn't have a VID or PID ? This is the output of the USBDeviceForensics tool

Vendor Ven_USB
Product Prod_Flash_Disk
Version Rev_2.00
Serial No 6&15f7d341&0
VID
PID
ParentIdPrefix 7&1c442b92&0
Drive Letter
Volume Name
GUID 7beb28c6-cab2-11de-a4c6-028037ec0200
MountPoint STORAGE#RemovableMedia#7&1c442b92&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Install Date/Time
First Time Connected After Last Reboot (DeviceClasses Date/Time) friday june 15 2012 072307 Z (UTC)
First Time Connected After Last Reboot (Enum\USB VIDPID Date/Time) monday january 1 0001 000000 Z (UTC)
Last Time Connected (MountPoints2 Date/Time) friday june 15 2012 072329 Z (UTC) (File NTUSER.DAT)

ReplyQuote

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

06/09/2012 9:24 pm

I'm just curious…what tool did you use to parse and present this information?

I used RegRipper and the NTUSER plugin.

I don't follow. RegRipper doesn't have a "NTUSER" plugin, per se….there's an NTUSER profile which contains a list of plugins to be run against the NTUSER.DAT hive. So, I'd be interested to know which plugin, specifically, you used to retrieve the shellbag information from the NTUSER.DAT…that will be helpful to know.

What does it mean that it doesn't have a VID or PID ?

I'm not really sure that's the question to be asking. I'd suggest that it might be better to understand where the tool is getting it's data…that might more directly address the issue. I think that a specific device not having a VID or PID value isn't so much the issue, because it really depends on how the tool you're using populates that data. There's enough information in that tool output that you could go through the Registry hives and determine everything you need to know to close the loop on that analysis.

ReplyQuote

pbobby

(@pbobby)

Estimable Member

Joined: 16 years ago

Posts: 239

07/09/2012 12:53 am

The shellbag plugin for Regripper doesn't parse shellbags from XP (NTuser.dat). Only bag information from usrclass.dat (i.e. vista and higher).

ReplyQuote

Coax

(@coax)

Active Member

Joined: 14 years ago

Posts: 10

Topic starter 07/09/2012 1:16 am

You are right. I have not looked at the shellbags. Will do that now !

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
261 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed