Wednesday, March 14, 2012

Case Experience #2.2 - Let the Digging Begin

The Stats

Moving on with the hypothetical scenario posted in Case Experience #2.1, let's assume that we now have Kilroy's HE laptop in our possession.  A quick look to verify what you were told by the client reveals that the hard drive is not fully encrypted and has the OS of Windows 7.  The OS version is important to know in any investigation, as the way the OS stores information and behaves when interacting with a user varies.  (If you are new to doing Windows 7 analysis, it may be a good idea to research it before starting an investigation.  My personal favorite Win7 go-to book is Windows Forensic Analysis Toolkit 3E.)  The BIOS showed no date or time offset.  Below are a few of the artifacts that may provide information of interest in an IP theft case.  Note that they aren't listed in any particular order, other than what I felt like writing about first.

For this portion of the Case Experience, I will be using EnCase v6.18 and Jump List Parser code from Harlan Carvey.  However, many other tools can be used to look at the same areas of interest.

User's Recent Folder

The Recent folder can be a veritable treasure trove when reconstructing a user's activity.  In our case study, Kilroy's Recent folder was located here:

C\Users\Kilroy\AppData\Roaming\Microsoft\Windows\Recent\
(Note:  Replace "Kilroy" with {User} for the default path for any Win7 or Vista user)

There are basically two types of artifacts of use in this location:  link files and jump files. 

Link Files
In Windows systems, when a user opens a file, a link file will be created in that user's Recent folder.  The link file will be named with the target file name, with the addition of a .LNK extension.  In EnCase, the target file path can be found in the column called "Symbolic Link."  Below is an excerpt of link files found in the Recent folder from our case study of Kilroy:

You may want to click on the image to better read the information... I played
around with it and this is the best I could do... sorry!
This little snippet actually has quite a bit of information.  Apart from showing what the user accessed, link files are helpful in showing when they were accessed.  Analyzing date/time information of link files could be a whole post by itself, but let's focus on the big issues:  1) it demonstrates that Kilroy was using his company issued computer after his termination from employment; and 2) potentially proprietary information was accessed on an external drive.  Important to an IP theft case?  You betcha.

Jump Lists
We found some good stuff, but we aren't done with the Recent folder just yet.  Because in Windows7, this folder also contains Jump Lists.  (If you want a more detailed description of jump lists and what they are, there are multiple sites available online, including a page on the forensics wiki and this post by Harlan.)  Let's take a look at one of the JL's to see if we can find anything interesting.  Looking in the AutomaticDestinations folder, we see that there is a JL called 9c7cc110ff56d1bd.automaticDestinations-ms.  Comparing this to the Jump List IDs on the Forensics wiki, we can see that this particular jump list is associated with Microsoft Office Powerpoint 2010.  To parse the information in this file, I chose to use the jump list parser mentioned above.  This is a perl module, so to run the script you must have perl installed.  In order to run the script on my Windows system against the mounted image of the system (mounted to the I: drive), I typed:

jl2.pl I:\Users\Kilroy\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9c7cc110ff56d1bd.automaticDestinations-ms > pptjlreport.txt

Opening the pptjlreport.txt shows the following information:


Given the link files that we found, this information isn't earth-shattering, but it is still a good idea to check these kinds of artifacts for a few reasons:  1) it corroborates findings found in other artifacts, thus strengthening your case; 2) you may find additional information here that wasn't in the link files or other various artifacts; and 3) looking in multiple locations reduces the chance of anti-forensics being successful on a case you are analyzing.   UPDATE:  I should have mentioned that one of the contextual additions to looking at jump lists is that they show not just when and that a file was opened, but they show what program was used to open a file.  Depending on the case, this could be of interest.  Also, Corey at JIIR has a great example of how Jump Lists provided more information than he was able to get from looking at link files.

Well, I think that is about it for now.  Stay tuned... next stop, Windows Registry!

7 comments:

  1. Thanks for referencing the JL parsing tools.

    What I like about having multiple tools available is that you can use tools like EnCase to get the broad overview of something like Jump Lists, but can use the JumpList.pm and LNK.pm modules to dig much deeper into the embedded LNK streams within the JumpList file. For example, the TrackerData block from the JumpList stream will include information about the volume that the file existed on, which is something you can use, in conjunction with further analysis (possibly USB device analysis) to uniquely identify the media where the file existed.

    ReplyDelete
    Replies
    1. Thank you for providing the tools! I'm still playing around with them and figuring out all the cool info they are able to pull. I'm working on making a little batch file to automate some of the work (using the Jump List IDs on the Forensics Wiki).

      Thanks again for putting out all the information! It makes my life so much better. Very cool stuff.

      Delete
  2. The unfortunate thing about the App IDs is that they aren't in an easily-digestible format. All that's needed is .csv, and a little bit of coding will allow the tools to add that information to any of the scripts.

    Are you finding the Jump List analysis stuff useful? Is it beneficial?

    ReplyDelete
    Replies
    1. They are interesting, and I can certainly see situations where they would prove beneficial in an exam, since showing what program was used to access files (and not just that they *were* accessed) can be of interest.

      Frankly, JLs are helping me get over my mourning period of losing the MRU keys in the registry. :)

      Delete
  3. Hey there, I'm still struggling to learn Win 7 with no training (my govt agency training budget is tight), so thanks for the info and links about jump lists. Good to know.

    ReplyDelete
    Replies
    1. Thanks for letting me know it was useful. Excited to continue reading your blog!

      Delete
  4. I have written an article that you may find useful in respect of Jump List analysis.

    http://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/

    ReplyDelete