• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
6 application analysis
 

6 application analysis

on

  • 155 views

Analysis on email

Analysis on email

Statistics

Views

Total Views
155
Views on SlideShare
155
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    6 application analysis 6 application analysis Presentation Transcript

    • 0011 0010 1010 1101 0001 0100 1011 Digital Forensics Lecture 6 Application Analysis
    • 0011 0010 1010 1101 0001 0100 1011 Current, Relevant Topics • HP’s private investigators fraudulently used the identities of the victims to get login credentials to access online telephone records without authorization. • Title 18 Section 1030(a)(4) – felony! • The investigation resulted in unauthorized use of AT&T's computer systems by third-party investigators to gain access to the phone records of seven board members, nine reporters, and two HP employees. While such techniques fall under the broad category of deception to gain information, or "pretexting," computer crime statutes clearly define the activity as unauthorized access, or "hacking." The investigators also tailed several directors and reporters and sent forged documents to one reporter that would phone home the Internet address of anyone to whom the reporter forwarded the document. Robert Lemos, SecurityFocus 2006-09-22
    • 0011 0010 1010 1101 0001 0100 1011 This Week’s Presentations • Moses Schwartz: Email Analysis - Client and Web • Johnathan Ammons: Web Analysis • James Guess: IRC Analysis
    • 0011 0010 1010 1101 0001 0100 1011 Next Week’s Presentations • Kelcey Tietjen: Wireless Network Traffic • David Burton: Collection and Analysis of Network Traffic • David Burton: Network Devices: Routers, Switches, … (EC)
    • 0011 0010 1010 1101 0001 0100 1011 Lecture Overview • Application Analysis Overview • E-mail • Web Browsers • Microsoft Word • Portable Document Format • Tools et cetera Legal/Policy Preparation Collection Analysis Findings/ Evidence Reporting/ Action
    • 0011 0010 1010 1101 0001 0100 1011 Module 1 Application Analysis Overview
    • 0011 0010 1010 1101 0001 0100 1011 Types of Hidden Application Data • Metadata – information about a file or its contents that software stores in the file • Hidden Data – content the author or editors add to files that may be hidden in some circumstances • Really Hidden Files – files you can not find with Explorer at all and can only find with DOS if you know where to look
    • 0011 0010 1010 1101 0001 0100 1011 Module 2 E-mail What data may be found?
    • 0011 0010 1010 1101 0001 0100 1011 What can be found? • Sender • Date / Time • Subject • Communication Path • Contents
    • 0011 0010 1010 1101 0001 0100 1011 Client-based E-mail • MS Outlook PST – ReadPST ↑ will convert the PST into RFC- compliant UNIX mail • MS Outlook Express – readDBX ↑ will extract the contest of a DBX files into RFC-compliant UNIX mail • UNIX E-mail – grep expression on the simple text file ↑from SourceForge
    • 0011 0010 1010 1101 0001 0100 1011• Netscape Navigator – grep expression on the simple text file • AOL – proprietary format: PFC – E-mail Examiner, EnCase, FTK – FTK decodes email archive, retrieves e-mail and other information such as favorites Client-based E-mail
    • 0011 0010 1010 1101 0001 0100 1011• Yahoo – recover e-mail from Internet cache – files that contain rendered html that was on screen • ShowFolder – lists subject lines, sender alias, message dates, and sizes • ShowLetter – opened e-mail • Compose – e-mail to which the user is replying before an modification is done – search • input type=hidden name=Body value= Web-based E-mail
    • 0011 0010 1010 1101 0001 0100 1011• Hotmail – use the same tools to find information in files • Hotmail • doaddress • getmsg – the e-mail message • compose • calendar – search • /cgi-bin/dasp/E?N?/?hotmail_+#+.css Web-based E-mail
    • 0011 0010 1010 1101 0001 0100 1011 Module 3 Web Browsers What metadata and hidden data may be found?
    • 0011 0010 1010 1101 0001 0100 1011 • Internet Explorer – Cookiesindex.dat – audit trail for installed cookies – Local SettingsHistoryHistory.IE5index.dat – history for the last day IE was used – Local SettingsHistoryHistory.IE5MSHistXXXXXXX XXXXindex.dat – history rollup for older usage – Local SettingsTemporary Internet Files Content.IE5index.dat – audit trail for include files – UserDataindex.dat – audit trail for automatic Windows accesses to the internet Web Browsers Pasco – converts the data into a tab-delimited format (Foundstone) NOTE: Files in C:Documents and Settings<username>
    • 0011 0010 1010 1101 0001 0100 1011 • Internet Explorer - Cookies – Cookiesindex.dat – audit trail for installed cookies – Fields of metadata • SITE – URL that the cookie came from • VARIABLE – name stored in cookie • VALUE – value stored • CREATION TIME – time of cookie creation • EXPIRE TIME – time of cookie expiration • FLAGS – flags set for the cookie Web Browsers galleta – converts the data into a tab-delimited format (Foundstone)
    • 0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox – MORK – Mozilla history format (Mork.pl utility) – Windows • Application DataMozillaProfiles<profile name>history.dat – Linux • ~/.Mozilla/Profiles/<profile name>/history.dat – gives access time, # accesses, URL – tools can provide more information, e.g., NetAnalysis Web Browsers
    • 0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox - Cookies – cookies.txt in the profiles directory – human readable • web site of origin • variable name • value • etc. Web Browsers
    • 0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox – Cache browsing – make the cache read-only – fire up Mozilla – enter URL about:cache Web Browsers
    • 0011 0010 1010 1101 0001 0100 1011
    • 0011 0010 1010 1101 0001 0100 1011
    • 0011 0010 1010 1101 0001 0100 1011• NoTrax – Secure Anonymous Stand Alone Tabbed Web Browser. – Blowfish encryption of cache & erases the cache during and after each browser session using secure deletion methods. – Erases Cookies during and after each browser session using secure deletion methods. – Erases the Windows Swap file on shutdown. – No log files created. Web-based E-mail
    • 0011 0010 1010 1101 0001 0100 1011 Module 4 Microsoft Word What metadata and hidden data may be found?
    • 0011 0010 1010 1101 0001 0100 1011 MS Word • metadata – Older versions • every file name saved under • run “strings –u” to get names – If document won’t open, then metadata may have been modified – who edited document – file path – version of Word used – when created – GUID (MAC based) of machine used to create • hidden data – quick save data • look in binary editor • open and use undo – Word 97 – MAC address • PID_GUID – Excel spreadsheet • when you drag data you get the entire spreadsheet • change .doc to .xls and open – full images • when a frame is shrunken • when matches background color Beware of track changes
    • 0011 0010 1010 1101 0001 0100 1011 Module 5 Portable Document Format (PDF)
    • 0011 0010 1010 1101 0001 0100 1011 PDF • metadata – under document properties – document title – author – subject – creation date – creation program • hidden data – text with background set to the same color as text – very large or small fonts
    • 0011 0010 1010 1101 0001 0100 1011 Module 6 Tools, et cetera
    • 0011 0010 1010 1101 0001 0100 1011 Tools & Claims • SecretExplorer – locate web form autocomplete data for IE, passwords for websites, Outlook account and identity passwords, dial-up passwords • Document Inspector – search for hidden content: comments, revisions, versions, annotations, document properties, personal information, XML data, headers, footers, watermarks, hidden text
    • 0011 0010 1010 1101 0001 0100 1011 Tools & Claims, cont. • Document Detective – search for and remove hidden data: color on color text, thumbnails, bookmarks, very large or small images, very large or small fonts in MS Word, Excel, and PowerPoint • snipurl.com/3osw – delete hidden text and comments • rdhtool – Office 2003 tool to strip all metadata
    • 0011 0010 1010 1101 0001 0100 1011 File Formats • How do we find file format information for (proprietary) files? – Wotsit • http://www.wotsit.org/search.asp
    • 0011 0010 1010 1101 0001 0100 1011 Module 7 IRC
    • 0011 0010 1010 1101 0001 0100 1011 IRC (Internet Relay Chat) • Many platforms – Amiga, Atari, BeOS, Java, Unix, Windows, PalmOS, OS/2, Mozilla, etc… – Over 150 different client programs • mIRC advertised for Windows • Network application • IRC Proxies
    • 0011 0010 1010 1101 0001 0100 1011 IRC • Channels – Listed or Unlisted • DCC – direct client connection – Private communications – File exchanges – Bypasses IRC server • Little evidence on server
    • 0011 0010 1010 1101 0001 0100 1011 IRC • Log files – Usually user configured – Browser cache can contain info • Identify IRC clients • Network information – Routes, connections – Port 6667 (default, can be anything) • Tools – msgsnarf – Knoppix – DataGrab – LE, now obsolete
    • 0011 0010 1010 1101 0001 0100 1011 Questions? After all, you are an investigator