SlideShare a Scribd company logo

SAMPLE-Linux

Download as DOCX, PDF
R
Raymond Gonzales
1 of 8
Internet Artifacts: WK6 Course Name: CYB652 Professor: Vernon McCandlish Date: 2/21/2015 Examiner Name: Raymond Gonzales
Page 2 of 8 Table of Contents List of Illustrative Materials............................................................................................................ 3 Figures......................................................................................................................................... 3 Graded Lab Assessment.................................................................................................................. 4 Observations of Results and Findings......................................................................................... 4 SQLitebrowser ........................................................................................................................ 4 SQLitebrowser vs SQLiteman ................................................................................................ 5 Discussion of Results.................................................................................................................. 6 SQLitebrowser and SQLiteman.............................................................................................. 6 SQLitebrowser vs SQLiteman ................................................................................................ 7 Conclusion ...................................................................................................................................... 8
Page 3 of 8 List of Illustrative Materials Figures Figure 1: Filtered SQLitebrowser output data for the cookies.sqlite file ....................................... 4 Figure 2: Output for the keyword “pumpkin” on the cookies.sqlite file ........................................ 5 Figure 3: Output for visit count to websites and words used for Google search ............................ 5 Figure 4: Output for values entered found on the formhistory.sqlite file ....................................... 5 Figure 5: SQLite browser output for formhistory.sqlite ................................................................. 5 Figure 6: SQLiteman output for formhistory.sqlite ........................................................................ 6 Figure 7: SQLite browser time data in epoch time ......................................................................... 6 Figure 8: Converted Epoch output date and time ........................................................................... 7 Figure 9: Converted Epoch date and time and URL visit count ..................................................... 7 Figure 10: Item View tab within the SQLiteman tool .................................................................... 7 Figure 11: BLOB Preview Window within the sqliteman tool....................................................... 8
Page 4 of 8 Graded Lab Assessment Observations of Results and Findings In order to identify a user's activities an examiner will analyze the cookies, formhistory, extensions, places, webappsstore, and search .sqlite files for internet artifacts. Artifacts discovered throughout this investigation shall provide the examiner with information and insight that will provide the examiner insight about the activities performed by the user. Throughout the lab the examiner performed various exercises with the SQLiteman and SQLbrowser tools in order to gain familiarity with the examining capabilities of each of the tools. Using each of the tools on various sqlite files the examiner was able to examine and identify various internet artifacts that were created by the user’s previous activities. In the lab the examiner was provided with “test.zip” and was tasked with performing an analysis on the provided .zip file. After the test.zip file was unzipped by the examiner, the folder "Firefox Portable" was created within the examiner's WK6 directory. Prior to performing any analysis on the provided data the examiner calculated and recorded the MD5 sum (d0e7388cf7a5b68e9b65dfdd0ba0695a) of the extracted folder. By knowing the MD5 sum prior to the analysis an examiner can then compare the calculated MD5 sum upon completion and verify that none of the data was altered throughout the investigation. SQLitebrowser Using the SQLite browser tool the examiner examined the sqlite files named, “cookies, places, formhistory” for specific internet artifacts within the sqlite data. The tool processed the sqlite data files and displayed the information in a human readable format; allowing the examiner to view and examine the data. In order to filter through all of the output data displayed by the tool the examiner would select the “Execute SQL” tab and input SQL string logic that would filter and alter the outputs of the tool. An example of this was performed when “SELECT host, value, datetime(lastAccessed/1000000,"unixepoch") FROM moz_cookies” was entered into SQL window of the tool, in order to modify the dateTime output into human readable format as seen in figure 1. Figure 1: Filtered SQLitebrowser output data for the cookies.sqlite file Using these strings to filter through the .sqlite data allows the examiner to quickly search and identify specific internet artifacts such as: website visits, keyword searches, various URL information, and inputted values within forms. Various strings were entered into the SQL window in order to filter specific artifacts. Examples of these modified outputs from the SQLite browser tool can be seen in figures 2-4.
Page 5 of 8 Figure 2: Output for the keyword “pumpkin” on the cookies.sqlite file Figure 3: Output for visit count to websites and words used for Google search Figure 4: Output for values entered found on the formhistory.sqlite file SQLitebrowservs SQLiteman Within the lab the examiner was instructed to use the sqliteman tool to process and analyze the formhistory.sqlite file that had been previously analyzed using the SQLitebrowser tool. The goal of using both tools on the same sqlite data was to demonstrate to the examiner the differences between both of the tools. From initial observations and comparisons of the tools the examiner saw no variances or differences between the outputs of either of the tools. The biggest differences seen by the examiner between the tools was how each of the tools presented their output data for the formhistory.sqlite file. The SQLiteman appeared to be more organized in how the output data was presented and had additional tabs and features that the SQLitebrowser did not. As seen in figures 5 and 6 the SQLiteman tool possesses additional features that SQLitebrowser does not possess for performing additional analysis on sqlite data. Figure 5: SQLite browser output for formhistory.sqlite
Page 6 of 8 Figure 6: SQLiteman output for formhistory.sqlite Discussion of Results SQLitebrowserand SQLiteman During the lab the examiner used the tools SQLitebrowser and SQLiteman to examine the provided sqlite files for specific internet artifacts. Using the capability to input SQL strings into both of the tools the examiner was able to examine and identify all of the specific internet artifacts within the lab. The examiner was tasked with identifying: words and phrases inputted into Google searches, specific keywords, URLs visited, the visit count of the URLs, and form data inputted within the cookies, places, and formhistory sqlite files provided. This was done by inputting specific SQL strings into both of the tools in order to filter out any unnecessary data within the sqlite files. Being able to control and alter the output display for either of the tools helps the examiner analyze and process the data in a timely manner. An example of how the SQL strings can assist the examiner with their analysis process can be seen in figure 7. Figure 7: SQLite browser time data in epoch time Prior to any SQL strings being inputted into the tools to convert the time, the output times for the tools will be displayed in epoch time. Reading the times in epoch is not an efficient way to view and analyze the time information for internet artifacts during an investigation. By using the SQL
Page 7 of 8 string, “--- datetime(xxxx/1000000,”unixepoch”) on any field of time (lastUsed, firstUsed, etc) the epoch time output will be converted into a human readable format as seen in figure 8. Figure 8: Converted Epoch output date and time Throughout, the analysis of the provided sqlite files there were several occasions when multiple SQL strings were used in order to help display the output data in a desired format. When performing analysis on the “places.sqlite” file the examiner was tasked with discovering what the amount of times specific URLs were visited by the user. By inputting the SQL string, “SELECT url, datetime(last_visit_date/1000000,”unixepoch”), visit_count FROM moz_places” into the SQL string window, the output window displayed the times in a human readable format and displayed the amount of visits for each URL as seen in figure 9. Figure 9: Converted Epoch date and time and URL visit count Viewing the data in this organized manner allows the examiner to sort through all of the data in an organized way which can help the examiner identify other various artifacts that may be relevant to the investigation. SQLitebrowservs SQLiteman When analyzing and comparing the tools SQLitebrowser and SQLiteman the examiner identified several differences between the tools. Outside of visual differences the examiner identified that the SQLiteman tool had additional capabilities to easily isolate and view the outputted data via the “Item View” tab as seen in figure 10. Figure 10: Item View tab within the SQLiteman tool
Page 8 of 8 An additional feature that the SQLiteman tool has that the SQLitebrowser tool does not is the BLOB viewer feature as seen in figure 11. Figure 11: BLOB Preview Window within the sqliteman tool BLOB is short for Binary Large OBject. A BLOB is a large amount of binary data that is stored and collected as a single object in a database management system. (Common BLOB artifacts can be images and multi-media objects) The BLOB viewer allows the examiner to view a visual preview of the BLOB data that can be identified by the examiner. Conclusion After completing the analysis of the sqlite files with the various tools, the examiner was able to gain insight and understanding about the full capabilities of each of the tools. Throughout, the lab the examiner exercised the capabilities of each of the tools on the sqlite files in order to discover various internet artifacts within each of the sqlite data files. Using the capability to enter various strings within each of the tools the examiner was able to examine and identify: inputted words and phrases for Google searches, identify URLs associated with keywords, identify which URL had more than one visit, suspicious browsing behavior, data inputted into forms, and convert Unix epoch time into human readable time. Being able to use the strings when performing analysis on sqlite files allows the examiner the ability to accurately expedite their analysis on specific internet artifacts of interest during an investigation. By comparing and understanding the capabilities of each of the SQLiteman and SQLbrowser tools the examiner can decide on the best way to implement each of the tools when performing analysis on various sqlite data files. With all of the findings discovered from internet artifact analysis, the examiner can create a detailed timeline report about the events and actions that were performed by a specific user.

Recommended

La InformacióN Atreves Del Internet9
La InformacióN Atreves Del Internet9La InformacióN Atreves Del Internet9
La InformacióN Atreves Del Internet9guest1f1cc754
 
Digital design
Digital designDigital design
Digital designSeonhye Yang
 
Діяльність групи продовженого дня
Діяльність групи продовженого дняДіяльність групи продовженого дня
Діяльність групи продовженого дняАлла Дейнега
 
Pms
Pms Pms
Pms University of Somalia (UNISO)
 
Imperfecto del verbo irregular hacer
Imperfecto del verbo irregular hacerImperfecto del verbo irregular hacer
Imperfecto del verbo irregular hacerJose Miguel Garcia Ramirez
 
El liderazgo
El liderazgo El liderazgo
El liderazgo katherinron
 
Kartosuwiryo_XII IPS 1_SMAN 1 KEJAYAN
Kartosuwiryo_XII IPS 1_SMAN 1 KEJAYANKartosuwiryo_XII IPS 1_SMAN 1 KEJAYAN
Kartosuwiryo_XII IPS 1_SMAN 1 KEJAYANriduuwanpungki
 
Plano de curso história - 7ºano
Plano de curso história - 7ºanoPlano de curso história - 7ºano
Plano de curso história - 7ºanonandatinoco
 

Recommended

La InformacióN Atreves Del Internet9
La InformacióN Atreves Del Internet9La InformacióN Atreves Del Internet9
La InformacióN Atreves Del Internet9guest1f1cc754
 
Digital design
Digital designDigital design
Digital designSeonhye Yang
 
Діяльність групи продовженого дня
Діяльність групи продовженого дняДіяльність групи продовженого дня
Діяльність групи продовженого дняАлла Дейнега
 
Pms
Pms Pms
Pms University of Somalia (UNISO)
 
Imperfecto del verbo irregular hacer
Imperfecto del verbo irregular hacerImperfecto del verbo irregular hacer
Imperfecto del verbo irregular hacerJose Miguel Garcia Ramirez
 
El liderazgo
El liderazgo El liderazgo
El liderazgo katherinron
 
Kartosuwiryo_XII IPS 1_SMAN 1 KEJAYAN
Kartosuwiryo_XII IPS 1_SMAN 1 KEJAYANKartosuwiryo_XII IPS 1_SMAN 1 KEJAYAN
Kartosuwiryo_XII IPS 1_SMAN 1 KEJAYANriduuwanpungki
 
Plano de curso história - 7ºano
Plano de curso história - 7ºanoPlano de curso história - 7ºano
Plano de curso história - 7ºanonandatinoco
 
Introduction to StratexQuery and StratexViews
Introduction to StratexQuery and StratexViewsIntroduction to StratexQuery and StratexViews
Introduction to StratexQuery and StratexViewsAscendore Limited
 
MANAJEMEN PEMASARAN - Silabus
MANAJEMEN PEMASARAN - SilabusMANAJEMEN PEMASARAN - Silabus
MANAJEMEN PEMASARAN - SilabusDiana Amelia Bagti
 
Plano anual de atividades 2017
Plano anual de atividades 2017Plano anual de atividades 2017
Plano anual de atividades 2017aszf fontainhas
 
Ict infrastructure & grants (misneach 18-1-2017)
Ict infrastructure & grants (misneach 18-1-2017)Ict infrastructure & grants (misneach 18-1-2017)
Ict infrastructure & grants (misneach 18-1-2017)Anthony Kilcoyne
 
Doraemon
DoraemonDoraemon
DoraemonLidiaGon
 
Sciahbasi A - AIMRADIAL 2015 - Hand grip test and transradial approach
Sciahbasi A - AIMRADIAL 2015 - Hand grip test and transradial approachSciahbasi A - AIMRADIAL 2015 - Hand grip test and transradial approach
Sciahbasi A - AIMRADIAL 2015 - Hand grip test and transradial approachInternational Chair on Interventional Cardiology and Transradial Approach
 
Giai phau he ho hap 2015 cndd
Giai phau he ho hap 2015 cnddGiai phau he ho hap 2015 cndd
Giai phau he ho hap 2015 cnddconan8286
 
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo Splunk
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk
 
Research: Developing an Interactive Web Information Retrieval and Visualizati...
Research: Developing an Interactive Web Information Retrieval and Visualizati...Research: Developing an Interactive Web Information Retrieval and Visualizati...
Research: Developing an Interactive Web Information Retrieval and Visualizati...Roman Atachiants
 
Simile Exhibit @ VGSom : A tutorial
Simile Exhibit @ VGSom : A tutorialSimile Exhibit @ VGSom : A tutorial
Simile Exhibit @ VGSom : A tutorialKanishka Chakraborty
 
MSc dissertation np
MSc dissertation npMSc dissertation np
MSc dissertation npMohamed Shaheedullah
 
Test Strategy Utilising Mc Useful Tools
Test Strategy Utilising Mc Useful ToolsTest Strategy Utilising Mc Useful Tools
Test Strategy Utilising Mc Useful Toolsmcthedog
 
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS A scientometric analysis of cloud c...
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS A scientometric analysis of cloud c...IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS A scientometric analysis of cloud c...
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS A scientometric analysis of cloud c...IEEEMEMTECHSTUDENTPROJECTS
 
將 Open Data 放上 Open Source Platforms: 開源資料入口平台 CKAN 開發經驗分享
將 Open Data 放上 Open Source Platforms: 開源資料入口平台 CKAN 開發經驗分享將 Open Data 放上 Open Source Platforms: 開源資料入口平台 CKAN 開發經驗分享
將 Open Data 放上 Open Source Platforms: 開源資料入口平台 CKAN 開發經驗分享Chengjen Lee
 
final ppt.pptx
final ppt.pptxfinal ppt.pptx
final ppt.pptxshwetachanchlani
 
final ppt.pptx
final ppt.pptxfinal ppt.pptx
final ppt.pptxshwetachanchlani
 
L017418893
L017418893L017418893
L017418893IOSR Journals
 
A new approach for user identification in web usage mining preprocessing
A new approach for user identification in web usage mining preprocessingA new approach for user identification in web usage mining preprocessing
A new approach for user identification in web usage mining preprocessingIOSR Journals
 
666 computer technology 7th sem
666 computer technology 7th sem666 computer technology 7th sem
666 computer technology 7th semAbdullahAlMamun146257
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk
 
PHP UK 2020 Tutorial: MySQL Indexes, Histograms And other ways To Speed Up Yo...
PHP UK 2020 Tutorial: MySQL Indexes, Histograms And other ways To Speed Up Yo...PHP UK 2020 Tutorial: MySQL Indexes, Histograms And other ways To Speed Up Yo...
PHP UK 2020 Tutorial: MySQL Indexes, Histograms And other ways To Speed Up Yo...Dave Stokes
 

More Related Content

Viewers also liked

Introduction to StratexQuery and StratexViews
Introduction to StratexQuery and StratexViewsIntroduction to StratexQuery and StratexViews
Introduction to StratexQuery and StratexViewsAscendore Limited
 
Plano anual de atividades 2017
Plano anual de atividades 2017Plano anual de atividades 2017
Plano anual de atividades 2017aszf fontainhas
 
Ict infrastructure & grants (misneach 18-1-2017)
Ict infrastructure & grants (misneach 18-1-2017)Ict infrastructure & grants (misneach 18-1-2017)
Ict infrastructure & grants (misneach 18-1-2017)Anthony Kilcoyne
 
Giai phau he ho hap 2015 cndd
Giai phau he ho hap 2015 cnddGiai phau he ho hap 2015 cndd
Giai phau he ho hap 2015 cnddconan8286
 

Viewers also liked (7)

Introduction to StratexQuery and StratexViews
Introduction to StratexQuery and StratexViewsIntroduction to StratexQuery and StratexViews
Introduction to StratexQuery and StratexViews
 
MANAJEMEN PEMASARAN - Silabus
MANAJEMEN PEMASARAN - SilabusMANAJEMEN PEMASARAN - Silabus
MANAJEMEN PEMASARAN - Silabus
 
Plano anual de atividades 2017
Plano anual de atividades 2017Plano anual de atividades 2017
Plano anual de atividades 2017
 
Ict infrastructure & grants (misneach 18-1-2017)
Ict infrastructure & grants (misneach 18-1-2017)Ict infrastructure & grants (misneach 18-1-2017)
Ict infrastructure & grants (misneach 18-1-2017)
 
Doraemon
DoraemonDoraemon
Doraemon
 
Sciahbasi A - AIMRADIAL 2015 - Hand grip test and transradial approach
Sciahbasi A - AIMRADIAL 2015 - Hand grip test and transradial approachSciahbasi A - AIMRADIAL 2015 - Hand grip test and transradial approach
Sciahbasi A - AIMRADIAL 2015 - Hand grip test and transradial approach
 
Giai phau he ho hap 2015 cndd
Giai phau he ho hap 2015 cnddGiai phau he ho hap 2015 cndd
Giai phau he ho hap 2015 cndd
 

Similar to SAMPLE-Linux

SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo Splunk
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk
 
Research: Developing an Interactive Web Information Retrieval and Visualizati...
Research: Developing an Interactive Web Information Retrieval and Visualizati...Research: Developing an Interactive Web Information Retrieval and Visualizati...
Research: Developing an Interactive Web Information Retrieval and Visualizati...Roman Atachiants
 
Simile Exhibit @ VGSom : A tutorial
Simile Exhibit @ VGSom : A tutorialSimile Exhibit @ VGSom : A tutorial
Simile Exhibit @ VGSom : A tutorialKanishka Chakraborty
 
Test Strategy Utilising Mc Useful Tools
Test Strategy Utilising Mc Useful ToolsTest Strategy Utilising Mc Useful Tools
Test Strategy Utilising Mc Useful Toolsmcthedog
 
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS A scientometric analysis of cloud c...
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS A scientometric analysis of cloud c...IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS A scientometric analysis of cloud c...
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS A scientometric analysis of cloud c...IEEEMEMTECHSTUDENTPROJECTS
 
將 Open Data 放上 Open Source Platforms: 開源資料入口平台 CKAN 開發經驗分享
將 Open Data 放上 Open Source Platforms: 開源資料入口平台 CKAN 開發經驗分享將 Open Data 放上 Open Source Platforms: 開源資料入口平台 CKAN 開發經驗分享
將 Open Data 放上 Open Source Platforms: 開源資料入口平台 CKAN 開發經驗分享Chengjen Lee
 
A new approach for user identification in web usage mining preprocessing
A new approach for user identification in web usage mining preprocessingA new approach for user identification in web usage mining preprocessing
A new approach for user identification in web usage mining preprocessingIOSR Journals
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk
 
PHP UK 2020 Tutorial: MySQL Indexes, Histograms And other ways To Speed Up Yo...
PHP UK 2020 Tutorial: MySQL Indexes, Histograms And other ways To Speed Up Yo...PHP UK 2020 Tutorial: MySQL Indexes, Histograms And other ways To Speed Up Yo...
PHP UK 2020 Tutorial: MySQL Indexes, Histograms And other ways To Speed Up Yo...Dave Stokes
 
CMGT410 v19Project Charter TemplateCMGT410 v19Page 2 of 3P.docx
CMGT410 v19Project Charter TemplateCMGT410 v19Page 2 of 3P.docxCMGT410 v19Project Charter TemplateCMGT410 v19Page 2 of 3P.docx
CMGT410 v19Project Charter TemplateCMGT410 v19Page 2 of 3P.docxmccormicknadine86
 
Il 09 T3 William Spreitzer
Il 09 T3 William SpreitzerIl 09 T3 William Spreitzer
Il 09 T3 William Spreitzerwspreitzer
 
Architecting an ASP.NET MVC Solution
Architecting an ASP.NET MVC SolutionArchitecting an ASP.NET MVC Solution
Architecting an ASP.NET MVC SolutionAndrea Saltarello
 
Data Visualization: Analyzing your library data
Data Visualization: Analyzing your library dataData Visualization: Analyzing your library data
Data Visualization: Analyzing your library dataMichael Cummings
 

Similar to SAMPLE-Linux (20)

SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search Dojo
 
Research: Developing an Interactive Web Information Retrieval and Visualizati...
Research: Developing an Interactive Web Information Retrieval and Visualizati...Research: Developing an Interactive Web Information Retrieval and Visualizati...
Research: Developing an Interactive Web Information Retrieval and Visualizati...
 
Simile Exhibit @ VGSom : A tutorial
Simile Exhibit @ VGSom : A tutorialSimile Exhibit @ VGSom : A tutorial
Simile Exhibit @ VGSom : A tutorial
 
MSc dissertation np
MSc dissertation npMSc dissertation np
MSc dissertation np
 
Test Strategy Utilising Mc Useful Tools
Test Strategy Utilising Mc Useful ToolsTest Strategy Utilising Mc Useful Tools
Test Strategy Utilising Mc Useful Tools
 
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS A scientometric analysis of cloud c...
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS A scientometric analysis of cloud c...IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS A scientometric analysis of cloud c...
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS A scientometric analysis of cloud c...
 
將 Open Data 放上 Open Source Platforms: 開源資料入口平台 CKAN 開發經驗分享
將 Open Data 放上 Open Source Platforms: 開源資料入口平台 CKAN 開發經驗分享將 Open Data 放上 Open Source Platforms: 開源資料入口平台 CKAN 開發經驗分享
將 Open Data 放上 Open Source Platforms: 開源資料入口平台 CKAN 開發經驗分享
 
final ppt.pptx
final ppt.pptxfinal ppt.pptx
final ppt.pptx
 
final ppt.pptx
final ppt.pptxfinal ppt.pptx
final ppt.pptx
 
L017418893
L017418893L017418893
L017418893
 
A new approach for user identification in web usage mining preprocessing
A new approach for user identification in web usage mining preprocessingA new approach for user identification in web usage mining preprocessing
A new approach for user identification in web usage mining preprocessing
 
666 computer technology 7th sem
666 computer technology 7th sem666 computer technology 7th sem
666 computer technology 7th sem
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search Dojo
 
PHP UK 2020 Tutorial: MySQL Indexes, Histograms And other ways To Speed Up Yo...
PHP UK 2020 Tutorial: MySQL Indexes, Histograms And other ways To Speed Up Yo...PHP UK 2020 Tutorial: MySQL Indexes, Histograms And other ways To Speed Up Yo...
PHP UK 2020 Tutorial: MySQL Indexes, Histograms And other ways To Speed Up Yo...
 
CMGT410 v19Project Charter TemplateCMGT410 v19Page 2 of 3P.docx
CMGT410 v19Project Charter TemplateCMGT410 v19Page 2 of 3P.docxCMGT410 v19Project Charter TemplateCMGT410 v19Page 2 of 3P.docx
CMGT410 v19Project Charter TemplateCMGT410 v19Page 2 of 3P.docx
 
CloWSer
CloWSerCloWSer
CloWSer
 
Il 09 T3 William Spreitzer
Il 09 T3 William SpreitzerIl 09 T3 William Spreitzer
Il 09 T3 William Spreitzer
 
Architecting an ASP.NET MVC Solution
Architecting an ASP.NET MVC SolutionArchitecting an ASP.NET MVC Solution
Architecting an ASP.NET MVC Solution
 
Data Visualization: Analyzing your library data
Data Visualization: Analyzing your library dataData Visualization: Analyzing your library data
Data Visualization: Analyzing your library data
 

SAMPLE-Linux

  • 1. Internet Artifacts: WK6 Course Name: CYB652 Professor: Vernon McCandlish Date: 2/21/2015 Examiner Name: Raymond Gonzales
  • 2. Page 2 of 8 Table of Contents List of Illustrative Materials............................................................................................................ 3 Figures......................................................................................................................................... 3 Graded Lab Assessment.................................................................................................................. 4 Observations of Results and Findings......................................................................................... 4 SQLitebrowser ........................................................................................................................ 4 SQLitebrowser vs SQLiteman ................................................................................................ 5 Discussion of Results.................................................................................................................. 6 SQLitebrowser and SQLiteman.............................................................................................. 6 SQLitebrowser vs SQLiteman ................................................................................................ 7 Conclusion ...................................................................................................................................... 8
  • 3. Page 3 of 8 List of Illustrative Materials Figures Figure 1: Filtered SQLitebrowser output data for the cookies.sqlite file ....................................... 4 Figure 2: Output for the keyword “pumpkin” on the cookies.sqlite file ........................................ 5 Figure 3: Output for visit count to websites and words used for Google search ............................ 5 Figure 4: Output for values entered found on the formhistory.sqlite file ....................................... 5 Figure 5: SQLite browser output for formhistory.sqlite ................................................................. 5 Figure 6: SQLiteman output for formhistory.sqlite ........................................................................ 6 Figure 7: SQLite browser time data in epoch time ......................................................................... 6 Figure 8: Converted Epoch output date and time ........................................................................... 7 Figure 9: Converted Epoch date and time and URL visit count ..................................................... 7 Figure 10: Item View tab within the SQLiteman tool .................................................................... 7 Figure 11: BLOB Preview Window within the sqliteman tool....................................................... 8
  • 4. Page 4 of 8 Graded Lab Assessment Observations of Results and Findings In order to identify a user's activities an examiner will analyze the cookies, formhistory, extensions, places, webappsstore, and search .sqlite files for internet artifacts. Artifacts discovered throughout this investigation shall provide the examiner with information and insight that will provide the examiner insight about the activities performed by the user. Throughout the lab the examiner performed various exercises with the SQLiteman and SQLbrowser tools in order to gain familiarity with the examining capabilities of each of the tools. Using each of the tools on various sqlite files the examiner was able to examine and identify various internet artifacts that were created by the user’s previous activities. In the lab the examiner was provided with “test.zip” and was tasked with performing an analysis on the provided .zip file. After the test.zip file was unzipped by the examiner, the folder "Firefox Portable" was created within the examiner's WK6 directory. Prior to performing any analysis on the provided data the examiner calculated and recorded the MD5 sum (d0e7388cf7a5b68e9b65dfdd0ba0695a) of the extracted folder. By knowing the MD5 sum prior to the analysis an examiner can then compare the calculated MD5 sum upon completion and verify that none of the data was altered throughout the investigation. SQLitebrowser Using the SQLite browser tool the examiner examined the sqlite files named, “cookies, places, formhistory” for specific internet artifacts within the sqlite data. The tool processed the sqlite data files and displayed the information in a human readable format; allowing the examiner to view and examine the data. In order to filter through all of the output data displayed by the tool the examiner would select the “Execute SQL” tab and input SQL string logic that would filter and alter the outputs of the tool. An example of this was performed when “SELECT host, value, datetime(lastAccessed/1000000,"unixepoch") FROM moz_cookies” was entered into SQL window of the tool, in order to modify the dateTime output into human readable format as seen in figure 1. Figure 1: Filtered SQLitebrowser output data for the cookies.sqlite file Using these strings to filter through the .sqlite data allows the examiner to quickly search and identify specific internet artifacts such as: website visits, keyword searches, various URL information, and inputted values within forms. Various strings were entered into the SQL window in order to filter specific artifacts. Examples of these modified outputs from the SQLite browser tool can be seen in figures 2-4.
  • 5. Page 5 of 8 Figure 2: Output for the keyword “pumpkin” on the cookies.sqlite file Figure 3: Output for visit count to websites and words used for Google search Figure 4: Output for values entered found on the formhistory.sqlite file SQLitebrowservs SQLiteman Within the lab the examiner was instructed to use the sqliteman tool to process and analyze the formhistory.sqlite file that had been previously analyzed using the SQLitebrowser tool. The goal of using both tools on the same sqlite data was to demonstrate to the examiner the differences between both of the tools. From initial observations and comparisons of the tools the examiner saw no variances or differences between the outputs of either of the tools. The biggest differences seen by the examiner between the tools was how each of the tools presented their output data for the formhistory.sqlite file. The SQLiteman appeared to be more organized in how the output data was presented and had additional tabs and features that the SQLitebrowser did not. As seen in figures 5 and 6 the SQLiteman tool possesses additional features that SQLitebrowser does not possess for performing additional analysis on sqlite data. Figure 5: SQLite browser output for formhistory.sqlite
  • 6. Page 6 of 8 Figure 6: SQLiteman output for formhistory.sqlite Discussion of Results SQLitebrowserand SQLiteman During the lab the examiner used the tools SQLitebrowser and SQLiteman to examine the provided sqlite files for specific internet artifacts. Using the capability to input SQL strings into both of the tools the examiner was able to examine and identify all of the specific internet artifacts within the lab. The examiner was tasked with identifying: words and phrases inputted into Google searches, specific keywords, URLs visited, the visit count of the URLs, and form data inputted within the cookies, places, and formhistory sqlite files provided. This was done by inputting specific SQL strings into both of the tools in order to filter out any unnecessary data within the sqlite files. Being able to control and alter the output display for either of the tools helps the examiner analyze and process the data in a timely manner. An example of how the SQL strings can assist the examiner with their analysis process can be seen in figure 7. Figure 7: SQLite browser time data in epoch time Prior to any SQL strings being inputted into the tools to convert the time, the output times for the tools will be displayed in epoch time. Reading the times in epoch is not an efficient way to view and analyze the time information for internet artifacts during an investigation. By using the SQL
  • 7. Page 7 of 8 string, “--- datetime(xxxx/1000000,”unixepoch”) on any field of time (lastUsed, firstUsed, etc) the epoch time output will be converted into a human readable format as seen in figure 8. Figure 8: Converted Epoch output date and time Throughout, the analysis of the provided sqlite files there were several occasions when multiple SQL strings were used in order to help display the output data in a desired format. When performing analysis on the “places.sqlite” file the examiner was tasked with discovering what the amount of times specific URLs were visited by the user. By inputting the SQL string, “SELECT url, datetime(last_visit_date/1000000,”unixepoch”), visit_count FROM moz_places” into the SQL string window, the output window displayed the times in a human readable format and displayed the amount of visits for each URL as seen in figure 9. Figure 9: Converted Epoch date and time and URL visit count Viewing the data in this organized manner allows the examiner to sort through all of the data in an organized way which can help the examiner identify other various artifacts that may be relevant to the investigation. SQLitebrowservs SQLiteman When analyzing and comparing the tools SQLitebrowser and SQLiteman the examiner identified several differences between the tools. Outside of visual differences the examiner identified that the SQLiteman tool had additional capabilities to easily isolate and view the outputted data via the “Item View” tab as seen in figure 10. Figure 10: Item View tab within the SQLiteman tool
  • 8. Page 8 of 8 An additional feature that the SQLiteman tool has that the SQLitebrowser tool does not is the BLOB viewer feature as seen in figure 11. Figure 11: BLOB Preview Window within the sqliteman tool BLOB is short for Binary Large OBject. A BLOB is a large amount of binary data that is stored and collected as a single object in a database management system. (Common BLOB artifacts can be images and multi-media objects) The BLOB viewer allows the examiner to view a visual preview of the BLOB data that can be identified by the examiner. Conclusion After completing the analysis of the sqlite files with the various tools, the examiner was able to gain insight and understanding about the full capabilities of each of the tools. Throughout, the lab the examiner exercised the capabilities of each of the tools on the sqlite files in order to discover various internet artifacts within each of the sqlite data files. Using the capability to enter various strings within each of the tools the examiner was able to examine and identify: inputted words and phrases for Google searches, identify URLs associated with keywords, identify which URL had more than one visit, suspicious browsing behavior, data inputted into forms, and convert Unix epoch time into human readable time. Being able to use the strings when performing analysis on sqlite files allows the examiner the ability to accurately expedite their analysis on specific internet artifacts of interest during an investigation. By comparing and understanding the capabilities of each of the SQLiteman and SQLbrowser tools the examiner can decide on the best way to implement each of the tools when performing analysis on various sqlite data files. With all of the findings discovered from internet artifact analysis, the examiner can create a detailed timeline report about the events and actions that were performed by a specific user.