This document appears to be a lecture on digital forensics topics related to application analysis. It discusses analyzing email, web browsers, Microsoft Word documents, PDFs and IRC communications for metadata and hidden data. Specific tools are mentioned for extracting information from email clients, browser caches and history, cookies, Word documents, and IRC logs. The document also outlines various types of hidden application data and what can potentially be discovered from analyzing applications and files.

1. 0011 0010 1010 1101 0001 0100 1011
Digital Forensics
Lecture 6
Application Analysis

2. 0011 0010 1010 1101 0001 0100 1011
Current, Relevant Topics
• HP’s private investigators fraudulently used the identities of
the victims to get login credentials to access online telephone
records without authorization.
• Title 18 Section 1030(a)(4) – felony!
• The investigation resulted in unauthorized use of AT&T's
computer systems by third-party investigators to gain access to
the phone records of seven board members, nine reporters, and
two HP employees. While such techniques fall under the broad
category of deception to gain information, or "pretexting,"
computer crime statutes clearly define the activity as
unauthorized access, or "hacking." The investigators also
tailed several directors and reporters and sent forged
documents to one reporter that would phone home the Internet
address of anyone to whom the reporter forwarded the
document.
Robert Lemos, SecurityFocus 2006-09-22

3. 0011 0010 1010 1101 0001 0100 1011
This Week’s Presentations
• Moses Schwartz: Email Analysis -
Client and Web
• Johnathan Ammons: Web Analysis
• James Guess: IRC Analysis

4. 0011 0010 1010 1101 0001 0100 1011
Next Week’s Presentations
• Kelcey Tietjen: Wireless Network Traffic
• David Burton: Collection and Analysis of
Network Traffic
• David Burton: Network Devices: Routers,
Switches, … (EC)

5. 0011 0010 1010 1101 0001 0100 1011
Lecture Overview
• Application Analysis Overview
• E-mail
• Web Browsers
• Microsoft Word
• Portable Document Format
• Tools et cetera
Legal/Policy
Preparation Collection Analysis
Findings/
Evidence
Reporting/
Action

6. 0011 0010 1010 1101 0001 0100 1011
Module 1
Application Analysis Overview

7. 0011 0010 1010 1101 0001 0100 1011
Types of Hidden Application Data
• Metadata
– information about a file or its contents that
software stores in the file
• Hidden Data
– content the author or editors add to files that may
be hidden in some circumstances
• Really Hidden Files
– files you can not find with Explorer at all and can
only find with DOS if you know where to look

8. 0011 0010 1010 1101 0001 0100 1011
Module 2
E-mail
What data may be found?

9. 0011 0010 1010 1101 0001 0100 1011
What can be found?
• Sender
• Date / Time
• Subject
• Communication Path
• Contents

10. 0011 0010 1010 1101 0001 0100 1011
Client-based E-mail
• MS Outlook PST
– ReadPST ↑ will convert the PST into RFC-
compliant UNIX mail
• MS Outlook Express
– readDBX ↑ will extract the contest of a DBX
files into RFC-compliant UNIX mail
• UNIX E-mail
– grep expression on the simple text file
↑from SourceForge

11. 0011 0010 1010 1101 0001 0100 1011• Netscape Navigator
– grep expression on the simple text file
• AOL
– proprietary format: PFC
– E-mail Examiner, EnCase, FTK
– FTK decodes email archive, retrieves e-mail
and other information such as favorites
Client-based E-mail

12. 0011 0010 1010 1101 0001 0100 1011• Yahoo
– recover e-mail from Internet cache
– files that contain rendered html that was on screen
• ShowFolder – lists subject lines, sender alias, message
dates, and sizes
• ShowLetter – opened e-mail
• Compose – e-mail to which the user is replying before
an modification is done
– search
• input type=hidden name=Body value=
Web-based E-mail

13. 0011 0010 1010 1101 0001 0100 1011• Hotmail
– use the same tools to find information in files
• Hotmail
• doaddress
• getmsg – the e-mail message
• compose
• calendar
– search
• /cgi-bin/dasp/E?N?/?hotmail_+#+.css
Web-based E-mail

14. 0011 0010 1010 1101 0001 0100 1011
Module 3
Web Browsers
What metadata and hidden data may be found?

15. 0011 0010 1010 1101 0001 0100 1011
• Internet Explorer
– Cookiesindex.dat – audit trail for installed cookies
– Local SettingsHistoryHistory.IE5index.dat –
history for the last day IE was used
– Local
SettingsHistoryHistory.IE5MSHistXXXXXXX
XXXXindex.dat – history rollup for older usage
– Local SettingsTemporary Internet Files
Content.IE5index.dat – audit trail for include files
– UserDataindex.dat – audit trail for automatic
Windows accesses to the internet
Web Browsers
Pasco – converts the data into a tab-delimited format (Foundstone)
NOTE: Files in C:Documents and Settings<username>

16. 0011 0010 1010 1101 0001 0100 1011
• Internet Explorer - Cookies
– Cookiesindex.dat – audit trail for installed cookies
– Fields of metadata
• SITE – URL that the cookie came from
• VARIABLE – name stored in cookie
• VALUE – value stored
• CREATION TIME – time of cookie creation
• EXPIRE TIME – time of cookie expiration
• FLAGS – flags set for the cookie
Web Browsers
galleta – converts the data into a tab-delimited format (Foundstone)

17. 0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox
– MORK – Mozilla history format (Mork.pl utility)
– Windows
• Application DataMozillaProfiles<profile
name>history.dat
– Linux
• ~/.Mozilla/Profiles/<profile name>/history.dat
– gives access time, # accesses, URL
– tools can provide more information, e.g.,
NetAnalysis
Web Browsers

18. 0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox - Cookies
– cookies.txt in the profiles directory
– human readable
• web site of origin
• variable name
• value
• etc.
Web Browsers

19. 0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox – Cache browsing
– make the cache read-only
– fire up Mozilla
– enter URL about:cache
Web Browsers

20. 0011 0010 1010 1101 0001 0100 1011

21. 0011 0010 1010 1101 0001 0100 1011

22. 0011 0010 1010 1101 0001 0100 1011• NoTrax
– Secure Anonymous Stand Alone Tabbed Web
Browser.
– Blowfish encryption of cache & erases the cache
during and after each browser session using secure
deletion methods.
– Erases Cookies during and after each browser
session using secure deletion methods.
– Erases the Windows Swap file on shutdown.
– No log files created.
Web-based E-mail

23. 0011 0010 1010 1101 0001 0100 1011
Module 4
Microsoft Word
What metadata and hidden data may be found?

24. 0011 0010 1010 1101 0001 0100 1011
MS Word
• metadata
– Older versions
• every file name saved under
• run “strings –u” to get names
– If document won’t open,
then metadata may have
been modified
– who edited document
– file path
– version of Word used
– when created
– GUID (MAC based) of
machine used to create
• hidden data
– quick save data
• look in binary editor
• open and use undo
– Word 97 – MAC address
• PID_GUID
– Excel spreadsheet
• when you drag data you get
the entire spreadsheet
• change .doc to .xls and open
– full images
• when a frame is shrunken
• when matches background
color
Beware of track changes

25. 0011 0010 1010 1101 0001 0100 1011
Module 5
Portable Document Format (PDF)

26. 0011 0010 1010 1101 0001 0100 1011
PDF
• metadata
– under document properties
– document title
– author
– subject
– creation date
– creation program
• hidden data
– text with background set to
the same color as text
– very large or small fonts

27. 0011 0010 1010 1101 0001 0100 1011
Module 6
Tools, et cetera

28. 0011 0010 1010 1101 0001 0100 1011
Tools & Claims
• SecretExplorer
– locate web form autocomplete data for IE,
passwords for websites, Outlook account and
identity passwords, dial-up passwords
• Document Inspector
– search for hidden content: comments, revisions,
versions, annotations, document properties,
personal information, XML data, headers,
footers, watermarks, hidden text

29. 0011 0010 1010 1101 0001 0100 1011
Tools & Claims, cont.
• Document Detective
– search for and remove hidden data: color on
color text, thumbnails, bookmarks, very large
or small images, very large or small fonts in
MS Word, Excel, and PowerPoint
• snipurl.com/3osw
– delete hidden text and comments
• rdhtool
– Office 2003 tool to strip all metadata

30. 0011 0010 1010 1101 0001 0100 1011
File Formats
• How do we find file format information for
(proprietary) files?
– Wotsit
• http://www.wotsit.org/search.asp

31. 0011 0010 1010 1101 0001 0100 1011
Module 7
IRC

32. 0011 0010 1010 1101 0001 0100 1011
IRC (Internet Relay Chat)
• Many platforms
– Amiga, Atari, BeOS, Java, Unix, Windows,
PalmOS, OS/2, Mozilla, etc…
– Over 150 different client programs
• mIRC advertised for Windows
• Network application
• IRC Proxies

33. 0011 0010 1010 1101 0001 0100 1011
IRC
• Channels
– Listed or Unlisted
• DCC – direct client connection
– Private communications
– File exchanges
– Bypasses IRC server
• Little evidence on server

34. 0011 0010 1010 1101 0001 0100 1011
IRC
• Log files
– Usually user configured
– Browser cache can contain info
• Identify IRC clients
• Network information
– Routes, connections
– Port 6667 (default, can be anything)
• Tools
– msgsnarf – Knoppix
– DataGrab – LE, now obsolete

35. 0011 0010 1010 1101 0001 0100 1011
Questions?
After all, you are an investigator