6 application analysis

773 views

Published on

Analysis on email

Published in: Technology
  • Be the first to comment

  • Be the first to like this

6 application analysis

  1. 1. 0011 0010 1010 1101 0001 0100 1011 Digital Forensics Lecture 6 Application Analysis
  2. 2. 0011 0010 1010 1101 0001 0100 1011 Current, Relevant Topics • HP’s private investigators fraudulently used the identities of the victims to get login credentials to access online telephone records without authorization. • Title 18 Section 1030(a)(4) – felony! • The investigation resulted in unauthorized use of AT&T's computer systems by third-party investigators to gain access to the phone records of seven board members, nine reporters, and two HP employees. While such techniques fall under the broad category of deception to gain information, or "pretexting," computer crime statutes clearly define the activity as unauthorized access, or "hacking." The investigators also tailed several directors and reporters and sent forged documents to one reporter that would phone home the Internet address of anyone to whom the reporter forwarded the document. Robert Lemos, SecurityFocus 2006-09-22
  3. 3. 0011 0010 1010 1101 0001 0100 1011 This Week’s Presentations • Moses Schwartz: Email Analysis - Client and Web • Johnathan Ammons: Web Analysis • James Guess: IRC Analysis
  4. 4. 0011 0010 1010 1101 0001 0100 1011 Next Week’s Presentations • Kelcey Tietjen: Wireless Network Traffic • David Burton: Collection and Analysis of Network Traffic • David Burton: Network Devices: Routers, Switches, … (EC)
  5. 5. 0011 0010 1010 1101 0001 0100 1011 Lecture Overview • Application Analysis Overview • E-mail • Web Browsers • Microsoft Word • Portable Document Format • Tools et cetera Legal/Policy Preparation Collection Analysis Findings/ Evidence Reporting/ Action
  6. 6. 0011 0010 1010 1101 0001 0100 1011 Module 1 Application Analysis Overview
  7. 7. 0011 0010 1010 1101 0001 0100 1011 Types of Hidden Application Data • Metadata – information about a file or its contents that software stores in the file • Hidden Data – content the author or editors add to files that may be hidden in some circumstances • Really Hidden Files – files you can not find with Explorer at all and can only find with DOS if you know where to look
  8. 8. 0011 0010 1010 1101 0001 0100 1011 Module 2 E-mail What data may be found?
  9. 9. 0011 0010 1010 1101 0001 0100 1011 What can be found? • Sender • Date / Time • Subject • Communication Path • Contents
  10. 10. 0011 0010 1010 1101 0001 0100 1011 Client-based E-mail • MS Outlook PST – ReadPST ↑ will convert the PST into RFC- compliant UNIX mail • MS Outlook Express – readDBX ↑ will extract the contest of a DBX files into RFC-compliant UNIX mail • UNIX E-mail – grep expression on the simple text file ↑from SourceForge
  11. 11. 0011 0010 1010 1101 0001 0100 1011• Netscape Navigator – grep expression on the simple text file • AOL – proprietary format: PFC – E-mail Examiner, EnCase, FTK – FTK decodes email archive, retrieves e-mail and other information such as favorites Client-based E-mail
  12. 12. 0011 0010 1010 1101 0001 0100 1011• Yahoo – recover e-mail from Internet cache – files that contain rendered html that was on screen • ShowFolder – lists subject lines, sender alias, message dates, and sizes • ShowLetter – opened e-mail • Compose – e-mail to which the user is replying before an modification is done – search • input type=hidden name=Body value= Web-based E-mail
  13. 13. 0011 0010 1010 1101 0001 0100 1011• Hotmail – use the same tools to find information in files • Hotmail • doaddress • getmsg – the e-mail message • compose • calendar – search • /cgi-bin/dasp/E?N?/?hotmail_+#+.css Web-based E-mail
  14. 14. 0011 0010 1010 1101 0001 0100 1011 Module 3 Web Browsers What metadata and hidden data may be found?
  15. 15. 0011 0010 1010 1101 0001 0100 1011 • Internet Explorer – Cookiesindex.dat – audit trail for installed cookies – Local SettingsHistoryHistory.IE5index.dat – history for the last day IE was used – Local SettingsHistoryHistory.IE5MSHistXXXXXXX XXXXindex.dat – history rollup for older usage – Local SettingsTemporary Internet Files Content.IE5index.dat – audit trail for include files – UserDataindex.dat – audit trail for automatic Windows accesses to the internet Web Browsers Pasco – converts the data into a tab-delimited format (Foundstone) NOTE: Files in C:Documents and Settings<username>
  16. 16. 0011 0010 1010 1101 0001 0100 1011 • Internet Explorer - Cookies – Cookiesindex.dat – audit trail for installed cookies – Fields of metadata • SITE – URL that the cookie came from • VARIABLE – name stored in cookie • VALUE – value stored • CREATION TIME – time of cookie creation • EXPIRE TIME – time of cookie expiration • FLAGS – flags set for the cookie Web Browsers galleta – converts the data into a tab-delimited format (Foundstone)
  17. 17. 0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox – MORK – Mozilla history format (Mork.pl utility) – Windows • Application DataMozillaProfiles<profile name>history.dat – Linux • ~/.Mozilla/Profiles/<profile name>/history.dat – gives access time, # accesses, URL – tools can provide more information, e.g., NetAnalysis Web Browsers
  18. 18. 0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox - Cookies – cookies.txt in the profiles directory – human readable • web site of origin • variable name • value • etc. Web Browsers
  19. 19. 0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox – Cache browsing – make the cache read-only – fire up Mozilla – enter URL about:cache Web Browsers
  20. 20. 0011 0010 1010 1101 0001 0100 1011
  21. 21. 0011 0010 1010 1101 0001 0100 1011
  22. 22. 0011 0010 1010 1101 0001 0100 1011• NoTrax – Secure Anonymous Stand Alone Tabbed Web Browser. – Blowfish encryption of cache & erases the cache during and after each browser session using secure deletion methods. – Erases Cookies during and after each browser session using secure deletion methods. – Erases the Windows Swap file on shutdown. – No log files created. Web-based E-mail
  23. 23. 0011 0010 1010 1101 0001 0100 1011 Module 4 Microsoft Word What metadata and hidden data may be found?
  24. 24. 0011 0010 1010 1101 0001 0100 1011 MS Word • metadata – Older versions • every file name saved under • run “strings –u” to get names – If document won’t open, then metadata may have been modified – who edited document – file path – version of Word used – when created – GUID (MAC based) of machine used to create • hidden data – quick save data • look in binary editor • open and use undo – Word 97 – MAC address • PID_GUID – Excel spreadsheet • when you drag data you get the entire spreadsheet • change .doc to .xls and open – full images • when a frame is shrunken • when matches background color Beware of track changes
  25. 25. 0011 0010 1010 1101 0001 0100 1011 Module 5 Portable Document Format (PDF)
  26. 26. 0011 0010 1010 1101 0001 0100 1011 PDF • metadata – under document properties – document title – author – subject – creation date – creation program • hidden data – text with background set to the same color as text – very large or small fonts
  27. 27. 0011 0010 1010 1101 0001 0100 1011 Module 6 Tools, et cetera
  28. 28. 0011 0010 1010 1101 0001 0100 1011 Tools & Claims • SecretExplorer – locate web form autocomplete data for IE, passwords for websites, Outlook account and identity passwords, dial-up passwords • Document Inspector – search for hidden content: comments, revisions, versions, annotations, document properties, personal information, XML data, headers, footers, watermarks, hidden text
  29. 29. 0011 0010 1010 1101 0001 0100 1011 Tools & Claims, cont. • Document Detective – search for and remove hidden data: color on color text, thumbnails, bookmarks, very large or small images, very large or small fonts in MS Word, Excel, and PowerPoint • snipurl.com/3osw – delete hidden text and comments • rdhtool – Office 2003 tool to strip all metadata
  30. 30. 0011 0010 1010 1101 0001 0100 1011 File Formats • How do we find file format information for (proprietary) files? – Wotsit • http://www.wotsit.org/search.asp
  31. 31. 0011 0010 1010 1101 0001 0100 1011 Module 7 IRC
  32. 32. 0011 0010 1010 1101 0001 0100 1011 IRC (Internet Relay Chat) • Many platforms – Amiga, Atari, BeOS, Java, Unix, Windows, PalmOS, OS/2, Mozilla, etc… – Over 150 different client programs • mIRC advertised for Windows • Network application • IRC Proxies
  33. 33. 0011 0010 1010 1101 0001 0100 1011 IRC • Channels – Listed or Unlisted • DCC – direct client connection – Private communications – File exchanges – Bypasses IRC server • Little evidence on server
  34. 34. 0011 0010 1010 1101 0001 0100 1011 IRC • Log files – Usually user configured – Browser cache can contain info • Identify IRC clients • Network information – Routes, connections – Port 6667 (default, can be anything) • Tools – msgsnarf – Knoppix – DataGrab – LE, now obsolete
  35. 35. 0011 0010 1010 1101 0001 0100 1011 Questions? After all, you are an investigator

×