Researching Artifacts in Computers

/ Miguel Bigueur

Processor-CPU-Motherboard-Blue-Circuits-Circuit-Board-computer-wallpaper

One forensic tool that can be used to analyze this type of data is EnCase Forensic available commercially or the freely downloadable open source digital forensic software called SIFT from SANS.

Windows

  • 1Shellbags: a.k.a. Registry Keys, are used by Windows systems to maintain the size, position, icon, and view of folders while using Windows Explorer.
    • (Importance) Shellbags pose significant value to a forensics investigator because of the possible clues left behind that can easily be traced through parsing. This includes the modification to files, timestamps, and size.
  • 2ShimCache: a.k.a. application compatibility cache
    • (Importance) Some of the many artifacts left behind inside the Registry include what files have been executed in addition to when they were executed.
  • .3LNK Files: a shortcut file used as a direct link to an executable file.
    • (Importance) Artifacts left behind by LNK files provide forensic investigators with valuable clues such as: what programs were executed on a system and contain the following evidentiary value
      1. Original path of file.
      2. Timestamps and MAC times for linked files.
      3. Serial number, NetBIOS names, MAC address, and Volume names of where the linked file is stored.
      4. Information regarding network details for linked files stored on network shares.
  • 4EXIF Metadata: a.k.a. Exchangeable Image File Format, invisible information stored within a digital file such as digital photos that require special tools for access.
    • (Importance) Evidential artifacts left behind from EXIF metadata can be rather extensive and includes the following:
      1. Dates and time of the file.
      2. Physical location of where the file was created.
      3. Dimensions of the data contained within the file i.e. image resolution, width, height, pixel count, and compression type.
      4. Fixed camera information such as: make, model, lens type, CCD type, and serial numbers.
      5. Description of the digital file, typically requires some type of user input.
      6. Keywords used to help catalog digital files, typically requires user input.
      7. Copyright information as designated by the user.
      8. Image manipulation data as performed by external software, which provides additional artifacts in regards to the image manipulation software manufacturer’s information.
  • 5Data Carving: process of extracting smaller data sets from larger data sets.
    • What are different types of data carving?
      1. Cluster based file carving: New files start in new clusters that appear near cluster boundaries.
      2. Sector Based File Carving: Search based on previously aligned sector file signatures, which allows the possible recovery of additional files from a previous volume with a different cluster layout that is no longer aligned with current cluster boundaries. (Time intensive search method)
      3. Byte Based File Carving: Search performed on a byte per byte level. Provides the ability to locate files where file signatures are neither aligned with a cluster or sector boundary.
  • 6File Hash
    • What are different types of file hashes? Why the difference?
      1. Dynamic Hashing: data buckets “units of storage” are removed and added on demand dynamically.
      2. Static Hashing: When search key values are provided, the hash function will always return the same address due to the number of data buckets remaining unchanged at all times.
    • What is hash colliding? Is it possible?
      1. Hash collisions are possible but do not happen very often. A hash collision is when a hash function produces the same output for two or more different inputs. Similar in form to the “Birthday Paradox” where a percentage of randomly chosen people will have the same birthday dubbed “Birthday Attack” when performed by criminal hackers.

Linux

  1. bash history
    1. What command can be used to view this?
      1. History | less
    2. How would you write this out to a text file?
      1. History > /home/user/command_history.txt
    3. When is the root bash stored?
      1. In the root directory of /

Mac OS X

  1. 7plist files: a.k.a. preferences list files which are valuable repositories of historical system and user specific configuration information.

 

References:

[1] Williballenthin. (2017, March). Windows Shellbag Forensics. Retrieved March 14, 2017, from http://www.williballenthin.com/forensics/shellbags/

[2] Rocha, L. (2016, May 18). Digital Forensics – ShimCache Artifacts. Retrieved March 14, 2017, from https://countuponsecurity.com/2016/05/18/digital-forensics-shimcache-artifacts/

[3] McQuaid, J. (2014, August 6). Forensic Analysis of LNK files. Retrieved March 14, 2017, from https://www.magnetforensics.com/computer-forensics/forensic-analysis-of-lnk-files/

[4] Wilding, S. (2012, August 21). Catching Criminals with Exif Metadata from Digital Photos. Retrieved March 14, 2017, from http://www.forensichandbook.com/catching-criminals-with-digital-photos/

[5] Forensic Explorer. (2017, March). Forensic Explorer Data Carving. Retrieved March 14, 2017, from http://www.forensicexplorer.com/data-carve.php

[6] Tutorialspoint. (2017, March). DBMS – Hashing. Retrieved March 14, 2017, from https://www.tutorialspoint.com/dbms/dbms_hashing.htm

[7] BlackBag Traning Team. (2012, July 23). Mac Forensics: Viewing, Understanding, Deconstructing, and Creating .plist Files – Part 1 of 3. Retrieved March 14, 2017, from https://www.blackbagtech.com/blog/2012/07/23/mac-forensics-viewing-understanding-deconstructing-and-creating-plist-files-part-1-of-3/

 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.